A potential security flaw in the "checkLoginIframe" which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

#### Acknowledgements
Special thanks to Adriano Márcio Monteiro from BRZTEC for reporting this issue and helping us improve our project.


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-1249

**Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS**

High severity GitHub Reviewed Published Apr 17, 2024 in keycloak/keycloak • Updated Apr 17, 2024

**Package**

maven org.keycloak:keycloak-services (Maven)

**Affected versions**

< 22.0.10

\>= 23.0.0, < 24.0.3

**Patched versions**

22.0.10

24.0.3

**Description**

Published to the GitHub Advisory Database

Apr 17, 2024

Last updated

Apr 17, 2024

GHSA-m6q9-p373-g5q8: Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS

Red Hat Security Advisory 2024-1868-03 - An update is now available for Red Hat build of Keycloak. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1868.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat build of Keycloak security update  
Advisory ID:        RHSA-2024:1868-03  
Product:            Red Hat build of Keycloak  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1868  
Issue date:         2024-04-17  
Revision:           03  
CVE Names:          CVE-2023-0657  
====================================================================

Summary: 

An update is now available for Red Hat build of Keycloak.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat build of Keycloak 22.0.10 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

Security Fix(es):

* path transversal in redirection validation (CVE-2024-1132)

* org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS (CVE-2024-1249)

* secondary factor bypass in step-up authentication (CVE-2023-3597)

* Authorization Bypass (CVE-2023-6544)

* XSS via assertion consumer service URL in SAML POST-binding flow (CVE-2023-6717)

* session hijacking via re-authentication (CVE-2023-6787)

* impersonation via logout token exchange (CVE-2023-0657)

* Log Injection during WebAuthn authentication or registration (CVE-2023-6484)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-0657

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2166728  
https://bugzilla.redhat.com/show_bug.cgi?id=2221760  
https://bugzilla.redhat.com/show_bug.cgi?id=2248423  
https://bugzilla.redhat.com/show_bug.cgi?id=2253116  
https://bugzilla.redhat.com/show_bug.cgi?id=2253952  
https://bugzilla.redhat.com/show_bug.cgi?id=2254375  
https://bugzilla.redhat.com/show_bug.cgi?id=2262117  
https://bugzilla.redhat.com/show_bug.cgi?id=2262918

Red Hat Security Advisory 2024-1868-03

Moobot, Miori, AGoent, and a Gafgyt variant have joined the infamous Mirai botnet in attacking unpatched versions of vulnerable Wi-Fi routers.

Source: Stuart Miles via Alamy Stock Photo

A number of botnets are pummeling a nearly year-old command-injection vulnerability in TP-Link routers to compromise the devices for IoT-driven distributed denial of service (DDoS) attacks.

There already is a patch for the flaw, tracked as CVE-2023-1389, found in the Web management interface of the TP-Link Archer AX21 (AX1800) Wi-Fi router and affecting devices Version 1.1.4 Build 20230219 or prior.

However, threat actors are taking advantage of unpatched devices to dispatch various botnets — include Moobot, Miori, AGoent, a Gafgyt variant, and variants of the infamous Mirai botnet — that can compromise the devices for DDoS and further nefarious activity, according to a blog post from Fortiguard Labs Threat Research.

"Recently, we observed multiple attacks focusing on this year-old vulnerability," which already was previously exploited by the in Mirai botnet, according to the post by Fortiguard researchers Cara Lin and Vincent Li. Fortiguard's IPS telemetry has detected significant traffic peaks, which alerted the researchers to the malicious activity, they said.

**Exploiting the TP-Link Flaw**

The flaw creates a scenario in which there is no sanitization of the "Country" field of the router's management interface, "so an attacker can exploit it for malicious activities and gain foothold," according to TP-Link's security advisory for the flaw.

"This is an unauthenticated command-injection vulnerability in the 'locale' API available via the web management interface," Lin and Li explained.

To exploit it, users can query the specified form "country" and conduct a "write" operation, which is handled by the "set\_country" function, the researchers explained. That function calls the "merge\_config\_by\_country" function and concatenates the argument of the specified form "country" into a command string. This string is then executed by the "popen" function.

"Since the 'country' field won't be emptied, the attacker can achieve command injection," the researchers wrote.

**Botnets to the Siege**

TP-Link's advisory when the flaw was revealed last year included acknowledgement of exploitation by the Mirai botnet. But since then other botnets as well as various Mirai variants also have taken siege against vulnerable devices.

One is Agoent, a Golang-based agent bot that attacks by first fetching the script file "exec.sh" from an attacker-controlled website, which then retrieves the Executable and Linkable Format (ELF) files of different Linux-based architectures.

The bot then executes two primary behaviors: the first is to create the host username and password using random characters, and the second is to establish connection with command and control (C2) to pass on the credentials just created by the malware for device takeover, the researchers said.

A botnet that creates denial of service (DoS) in Linux architectures called the Gafgyt variant also is attacking the TP-Link flaw by downloading and executing a script file and then retrieving Linux architecture execution files with the prefix filename "rebirth." The botnet then gets the compromised target IP and architecture information, which it concatenates into a string that is part of its initial connection message, the researchers explained.

"After establishing a connection with its C2 server, the malware receives a continuous 'PING' command from the server to ensure persistence on the compromised target," the researchers wrote. It then waits for various C2 commands to create DoS attacks.

The botnet called Moobot also is attacking the flaw to conduct DDoS attacks on remote IPs via a command from the attacker's C2 server, the researchers said. While the botnet targets various IoT hardware architectures, Fortiguard researchers analyzed the botnet's execution file designed for the "x86\_64" architecture to determine its exploitation activity, they said.

A variant of Mirai also is conducting DDoS attacks in its exploitation of the flaw by sending a packet from the C&C server to direct the endpoint to initiate the attack, the researchers noted.

"The command specified is 0x01 for a Valve Source Engine (VSE) flood, with a duration of 60 seconds (0x3C), targeting a randomly selected victim's IP address and the port number 30129," they explained.

Miori, another Mirai variant, also has joined the fray to conduct brute-force attacks on compromised devices, the researchers noted. And they also observed attacks by Condi that remains consistent with a version of the botnet that was active last year.

The attack retains the function to prevent reboots by deleting binaries responsible for shutting down or rebooting the system, and scans active processes and cross-references with predefined strings to terminate processes with matching names, the researchers said.

**Patch & Protect to Avoid DDoS**

Botnet attacks that exploit device flaws to target IoT environments are "relentless," and thus users should be vigilant against DDoS botnets," the researchers noted. Indeed, IoT adversaries are advancing their attacks by pouncing on unpatched device flaws to further their sophisticated attack agendas.

Attacks against TP-Link devices can be mitigated by applying the available patch for affected devices, and this practice should be followed for any other IoT devices "to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors," the researchers wrote.

Fortiguard also included in its post various indicators of compromise (IoCs) for the different botnet attacks, including C2 servers, URLs, and files that can help server administrators identify an attack.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks

By Deeba Ahmed
The Philippines finds itself under an online siege as tensions escalate in the South China Sea (SCS) with China, claims cybersecurity firm Resecurity. 
This is a post from HackRead.com Read the original post: Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff

The Philippines faces a surge in cyberattacks as tensions rise in the South China Sea. Hacktivists and misinformation campaigns target government websites, spread fake news, and disrupt critical infrastructure. Learn why the Philippines is a cyberwarfare hotspot and how the country can defend itself.

Resecurity reports a 325% increase in cyberattacks targeting the country in Q1 2024 compared to the same period last year. **Cyberattacks involving hacktivist groups** and foreign misinformation campaigns have nearly tripled with multiple attacks staged by unknown threat actors in Q2 2024, combining ideological motivations with nation-state-sponsored propaganda. 

The Philippines, located near the South China Sea, is facing tensions due to China’s assertive actions and its role as a Major Non-NATO Ally (**MNNA**). The island nation’s maritime trade routes and proximity to Taiwan make it a potential staging ground for military operations in a larger conflict, prompting adversaries to disrupt the country’s infrastructure.

Resecurity **found** numerous hacktivist groups  targeting the Philippines, including the pro-China Mustang Panda, DeathNote Hackers, and Exodus Security. In February, Exodus Security staged targeted **DDoS attacks**, leaking stolen data from various countries, including the Philippines, and announced partnerships with Cyber Operation Alliance, Robin Cyber Hood, Arab Anonymous, and Sylnet Gang-SG to broaden their activities. 

In addition, local hacking groups, including Philippine Hacking University, Excommunicado, CyberMafia Philippines, Philippine Cyber Alliance, Bisaya Cyber Army, and LizardSquad Philippines, are also using hacking as a form of protest. 

Recently, threat actor “KryptonZambie” claimed to have stolen over 152 gigabytes of Philippine citizen identity card data from unnamed sources whereas the Philippine Department of Science and Technology (DoST), was targeted by a cyberattack likely orchestrated by threat actors involved in a broader misinformation campaign.

It’s noteworthy that KryptonZambie was also responsible for the data breach of the widely-used CutOut.Pro AI Tool, leading to the exposure of personal details of over 20 million users on the infamous cybercrime and hacker forum Breach Forums.

The threat actor has recently claimed responsibility for data breaches at LeadSquared, an Indian software platform, and WeRize, India’s inaugural socially distributed full-stack financial services platform. Allegedly, the stolen data amounts to over 1.3 terabytes collectively.

> 📢 The hacker behind #CutOutPro breach involving 20 million accounts now claims to have breached @LeadSquared, an Indian software platform, and @WeRize\_Official, India's first socially distributed full-stack financial services platform. The leaked data is over 1.3TB collectively. pic.twitter.com/FT0hNpPP4D
> 
> — Hackread.com (@HackRead) April 15, 2024

These groups use hacktivist-related monikers to avoid attribution and create a perception of social conflict online. They also use tactics like website defacement, data breaches, and misinformation campaigns to disrupt essential services and embarrass the government. They may also hijack government or critical infrastructure websites, steal sensitive data, and create public distrust through social media and online forums. 

Cyberattacks in the Philippines have significant implications beyond immediate disruption. They can erode public trust, escalating tensions between the country and China, and disrupt the economy by affecting critical infrastructure.

To counter these threats, the Philippines needs a multifaceted approach. This includes upgrading cybersecurity infrastructure, investing in threat intelligence, and fostering public-private partnerships.

1.  Chinese APT Posing as Cloud Services to Spy on Cambodia
2.  Unsecured Database Leaks 153 GB of Filipino Student, Family Data
3.  Chinese Scammers Exploit Cloned Websites in Vast Gambling Network

Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff

Cyberattacks tripled over the past year in Israel, making it the most targeted nation in 2023, as cyber operations become a standard part of military conflicts and global protests.

Source: Ruma Aktar via Alamy Stock Photo

As tensions in the Middle East continue to escalate, cyberattacks and operations have become a standard part of the fabric of the geopolitical conflict.

Last week, the head of Israel's National Cyber Directorate blamed Iran and Hezbollah for "around the clock" cyberattacks against the country's networks, government agencies, and businesses, tripling in intensity as Israel's military operations continued against Hamas in Gaza. Following Quds Day — Iran's commemoration of its pro-Palestinian Jerusalem Day on April 5 — dozens of denial-of-service attacks disrupted Israeli targets, according to data from cybersecurity firm Radware.

While the volume of cyberattacks are running at a lower level so far this year, renewed tensions between Israel, Iran, and Lebanon could easily lead to more cyber activity, says Pascal Geenens, director of threat research for Tel Aviv-based Radware, a maker of cloud security solutions.

"There are two planes that we need to consider here," Geenens says. "One is more nation-state aligned, meaning purposely doing attacks against another nation, while the other is all the hacktivist activity — they just want to share their message \[and\] show that they're not happy with the situation."

Overall, Israel should be ready for more destructive cyberattacks, as Iran and other regional cyber groups have shown little restraint in such attacks, Google conclude in its "Tool of First Resort: Israel-Hamas War in Cyber" report, published in February. As Iran and Hezbollah appear ready to use destructive cyberattacks against both Israel and the United States, Israeli-linked groups likely will continue to target Iran, and hacktivists will likely target any organization they deem associated with their perceived enemies, the report stated.

"We assess with high confidence that Iran-linked groups are likely to continue to conduct destructive cyber attacks, particularly in the event of any perceived escalation to the conflict, which may include kinetic activity against Iranian proxy groups in various countries, such as Lebanon and Yemen," the company stated in the report.

**Not Your Father's Cyber Conflict**

When Russia invaded Ukraine, the Russian military used cyberattacks to target Ukraine prior to the invasion and during the invasion, and widely attacked the US and Ukraine's allies in Europe in the two years since the start of the war.

A significant spike in cyberattacks came prior to and after Oct. 7, while much more modest levels of activity targeted Israel this year. Source: Radware

For the Middle East, the cyber conflict has a different character. On one hand, the participants in the conflict have different strengths and limitations, which are affecting their options and making the cyber conflict more asymmetrical. Where the Russian government has a unity of purpose, Iran and Hamas are more opportunistic adversaries. Where Russia and Ukraine have similar cyber capabilities, Israel's military operations have limited Hamas' ability to respond, and the country has the most sophisticated cyber-offensive capabilities in the region, says Ben Read, head of cyber espionage analysis for Google Cloud's Mandiant incident-response group.

"Iran is very opposed to Israel, but aren't a direct party to the conflict, so their goals aren't necessarily about supporting the seizure of territory in the same sort of way as Russia," he says. "Because conventional weapons are not \[currently\] an outcome acceptable to Iran, they are using cyber to do some destructive \[operations\]. ... Cyber can be an easier tool to reach for there."

Iran is not the only anti-Israeli actor in the region. Google has observed cyber operations by groups linked to Hezbollah, a Lebanese Islamist political party and militant group aligned with Iran.

Iran has also been the target of disruptive cyber operations in the context of the conflict, says Kirsten Dennesen, reporting analyst with Google's Threat Analysis Group (TAG). Several disruptive attacks on the nation's infrastructure have been attributed to Predatory Sparrow, which reappeared in October and attacked Iranian gas stations in December, and which some analysts have linked to Israel.

"Telegraphing intent and demonstrating involvement in the conflict without escalating or directly taking part in on-the-ground confrontation ... limits potential blowback while also giving regional players the opportunity to project power through the cyber domain," she says. "Moreover, cyber capabilities can be quickly deployed at minimal cost by actors who may wish to avoid armed conflict."

**Resurgence in Hacktivism**

Nation-states are not the only actors involved in the conflict. In the past year, hacktivism has taken off as technologically savvy protesters react to the Russia-Ukraine war and the conflict between Israel and Hamas. Much of the increase in attack activity in Israel is due to hacktivism, as is demonstrated by sharp upticks in denial-of-service attacks, says Radware's Geenens.

"It's not like it did not exist before, but before they were much less organized, and now they have like this ability to gather on Telegram," he says. "They all started to communicate with each other through hashtags. They find each other much more easy, so they come together and create alliances to perform attacks."

In the past, the groups banded together under the Anonymous name, claiming the monicker for their own and attempting to get other groups to sign up. Today, they use operation-specific hashtags on Telegram to gain like-minded collaborators, a much more efficient method of operation, Geenens says.

Hacktivism likely will continue to fuel attacks against not only Israel, but other countries as well, he says. Attacks are more likely to ramp up quickly as nation-states develop standard techniques and hacktivists are able to collaborate more efficiently.

"Anything that happens in the future," Geenens says, "whether it be a military operation or an outcome of an election that they don't like or somebody says something that that they don't like — they will be there and there will be a wave of DDoS attacks."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cyber Operations Intensify in Middle East, With Israel the Main Target

Akamai joins a growing list of security vendors aiming to strengthen companies' DNS defenses.

Source: momius via Adobe Stock Photo

Attacks against the Domain Name System (DNS) are numerous and varied, so organizations have to rely on layers of protective measures, such as traffic monitoring, threat intelligence, and advanced network firewalls, to act in concert. With NXDOMAIN attacks on the rise, organizations need to strengthen their DNS defenses.

With the release of Shield NS53, Akamai joins a growing list of security vendors with DNS tools capable of defending against NXDOMAIN attacks. The new service extends Akamai's Edge DNS technologies in the cloud to on-premises deployments.

In an NXDOMAIN attack — also known as a DNS Water Torture DDoS attack — adversaries overwhelm the DNS server with a large volume of requests for nonexistent (hence the NX prefix) or invalid domains and subdomains. The DNS proxy server uses up most, if not all, of its resources querying the DNS authoritative server, to the point where the server no longer has the capacity to handle any requests, legitimate or bogus. More junk queries hitting the server means more resources — server CPU, network bandwidth, and memory — needed to handle them, and legitimate requests take longer to process. When people can't reach the website because of NXDOMAIN errors, that translates to potentially lost customers, lost revenue, and reputational damage.

NXDOMAIN has been a common attack vector for many years, and is becoming a bigger problem, says Jim Gilbert, Akamai's director of product management. Akamai observed 40% of overall DNS queries for its top 50 financial services customers contained NXDOMAIN records last year.

**Beefing Up DNS Protection**

While it is theoretically possible to defend against DNS attacks by adding more capacity — more resources means it takes larger and longer attacks to knock down the servers — it is not a financially viable or scalable technical approach for most organizations. But they can beef up their DNS protection in other ways.

Enterprise defenders need to make sure they understand their DNS environment. This means documenting where DNS resolvers are currently deployed, how on-premises and cloud resources interact with them, and how they make use of advanced services, such as Anycast, and DNS security protocols.

"There could be good compliance reasons that enterprises want to keep their original DNS assets on premises," says Akamai's Gilbert, noting that Shield NS53 allows enterprises to add protective controls while keeping existing DNS infrastructure intact.

Protecting DNS should also be part of an overall distributed denial-of-service (DDoS) prevention strategy, since many DDoS attacks begin with DNS exploits. Nearly two-thirds of DDoS attacks last year used some form of DNS exploits last year, according to Akamai.

Before purchasing anything, security managers need to understand both the scope and limitations of the potential solution they are evaluating. For example, while Palo Alto's DNS security services cover a wide collection of DNS exploits besides NXDOMAIN, customers get that broad protection only if they have the vendor's next generation firewall and subscribe to its threat prevention service.

DNS defenses should also tie into a robust threat intelligence service so that defenders can identify and respond quickly to potential attacks and reduce false positives. Vendors such as Akamai, Amazon Web Services, Netscout, Palo Alto, and Infoblox operate large telemetry-gathering networks that help their DNS and DDoS protection tools spot an attack.

The Cybersecurity and Infrastructure Security Agency has put together a series of recommended actions that includes adding multifactor authentication to the accounts of their DNS administrators, as well as monitoring certificate logs and investigating any discrepancies.

**About the Author(s)**

Contributing Writer

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as cybersecurity, VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 35 years. He was the editor-in-chief of Network Computing print, Digital Landing.com, and Tom's Hardware.com. He has written two computer networking books and appeared on a number of TV and radio shows explaining technology concepts and trends. He regularly blogs at https://blog.strom.com, and is president of David Strom Inc.

New Tool Shields Organizations From NXDOMAIN Attacks

By Waqas
Here's an updated list of five effective CAPTCHA plugins for WordPress that can help enhance the security of your website by preventing spam and bot activities:
This is a post from HackRead.com Read the original post: 5 Best CAPTCHA Plugins for WordPress Websites

As of 2024, the internet hosts over 1.89 billion websites, with approximately 835 million utilizing WordPress as their Content Management System (CMS). This represents about 43.3% of all websites globally.

Not only do these stats represent the expanding reach of the internet, but they also make WordPress a lucrative target for cybercriminals and spammers. While **WordPress security tips** are widely discussed to keep cybercriminals at bay, spamming is something not every website owner, especially newbies, is familiar with.

In this article, we will discuss five **CAPTCHA solutions** for WordPress and how a CAPTCHA plugin works.

Here’s an updated list of five effective CAPTCHA plugins for WordPress that can help enhance the security of your website by preventing spam and **bot activities:**

1.  **Captcha Plus**: This plugin offers multiple CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) options, including image-based, math-based, and Google reCAPTCHA. It’s known for its high performance and ease of customization, although it may be a bit overwhelming for beginners.
2.  **Google reCAPTCHA**: Perhaps the most well-known, this plugin uses advanced technology to differentiate humans from bots without disrupting the user experience. It’s seamlessly integrated into your forms and is supported by major form builders like WPForms.
3.  **Really Simple CAPTCHA**: As the name suggests, this plugin keeps it straightforward. It’s not as feature-rich as others, but it’s highly effective at blocking spam and is compatible with many form plugins​.
4.  **hCaptcha**: Offers a robust bot detection system and comes in both free and pro versions. The pro version includes advanced features like custom challenge creation and detailed analytics. It integrates well with a variety of forms and page builders, making it a versatile choice​.
5.  **Securimage-WP**: Great for those who prioritize a balance between strong security measures and maintaining user-friendliness. It integrates easily with popular form plugins like Contact Form 7 and Gravity Forms​.

****Honorable Mention: Akismet Anti-spam: Spam Protection****

Although not a CAPTCHA plugin, **Akismet Anti-spam** is a plugin designed to protect websites, particularly those using WordPress, from spam. Developed by Automattic, the same company behind WordPress.com, Akismet works by filtering out spam comments and form submissions.

It uses automated algorithms and community feedback to identify and block spam, helping keep websites clean and free from unwanted content. Akismet effectively reduces the time and effort needed to moderate spam, allowing website owners to focus on creating and managing content rather than dealing with spammy submissions.

****How does a CAPTCHA plugin work****

A CAPTCHA plugin works by presenting a challenge to website users to verify that they are human and not automated bots. Typically, this challenge involves completing a task that is easy for humans to do but difficult for bots to replicate, such as identifying distorted text, selecting certain images, or solving a simple puzzle.

The plugin then validates the user’s response, allowing access to the website if the challenge is completed correctly. This helps prevent automated bots from engaging in activities such as spamming forms, creating fake accounts, or launching malicious attacks on the website including DDoS attacks.

1.  New AI tool aims to make CAPTCHA a thing of the past
2.  Facebook captcha wants users to upload a clear photo of them
3.  Proton CAPTCHA: Privacy-First CAPTCHA Defense Against Bots

5 Best CAPTCHA Plugins for WordPress Websites

Global organizations and geopolitical entities must adopt new strategies to combat the growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

Source: Dragon Claws via Alamy Stock Photo

COMMENTARY

Today, it's rare for a month to pass without reports of new distributed denial-of-service (DDoS) attacks driven by geopolitical instability. Now, a single attack can include numerous countries and networks. While the war between Russia and Ukraine and elections in NATO countries like Poland drive geopolitically focused DDoS attacks, it's important to understand that these threats were present long before these conflicts, and will be around long after. But why are these attacks against governmental institutions so prominent, and why do they impact all of us in the first place? 

That is partially because changes in political leadership often correlate directly with a spike in DDoS attacks. For example, in Poland, DDoS attack volume increased fourfold within days of its new government being sworn into office. These spikes often result from hacktivist groups (e.g., KillNet, Noname057, Anonymous Sudan) opposing the viewpoints of newly elected officials. They impact the rest of us because DDoS attacks must cross multiple Internet service providers (ISPs) to reach the intended victim. 

Unfortunately, even an attack that is effectively mitigated will use up valuable resources on any ISP network it reaches. We refer to this as the "DDoS tax," which increases the cost of network operation, making it more expensive for everyone. In fact, global ISPs reported a 500% global increase in HTTP/S application layer attacks since 2019, and 17% growth in DNS reflection/amplification volumes in the first half of 2023. Furthermore, it is alarming that carpet-bombing attacks, a technique that simultaneously targets entire IP address ranges, increased by 110% from the first to the second half of 2022, with most attacks occurring against ISP networks.

The bottom line is that there is no escape from DDoS attacks on governmental institutions, and threat intelligence needs to be taken more seriously because of how universal the threat can be when it comes to compromising global ISP networks and additional IT infrastructure. Therefore, it is key for governmental entities to suppress DDoS attacks before they can begin.

**Comprehensive and Adaptive Defenses for Evolving DDoS Attacks**

With nation-states, bad actors often directly target Internet infrastructure to take out critical communications, ecommerce, and other vital infrastructure dependent on Internet connectivity. That means attackers target ISP networks to purposefully degrade Internet connectivity. Further, these bad actors typically have vastly more resources at their disposal than other attackers. They constantly innovate and explore new and more powerful DDoS attack vectors, evidenced by the creation of new ones every year, such as DNS Water Torture and Carpet Bombing. All the while, as DDoS defenses become more effective, bad actors continue to sidestep these defenses with new DDoS attack vectors and methodologies. These advanced techniques invariably find their way into the hands of criminal gangs and even individual hackers, who turn them against any entity from whom they can profit.

With the increased persistence of cybercriminals and the growth in complexity of DDoS attacks, the foundation for a comprehensive DDoS protection solution should identify and stop all types of DDoS attacks before they impact the availability of business-critical services. With today's growing frequency and complexity of DDoS attacks, a multilayer defense strategy is now no longer nice to have, but a requirement. New techniques such as adaptive DDoS strategies, which change vectors based on the defense that is presented, reinforce the need for better agility and efficiency when it comes to managing these increasingly complex attacks.

In the end, threat actors will continue using DDoS attacks as a way to further disrupt and inflame sociopolitical tensions around the world. Security professionals need to consider both local and international conflicts when assessing the DDoS risk factors associated with nation-state attacks. The unfortunate reality is that bad actors continue to find new ways to orchestrate attacks through evolving methodologies. As such, global organizations and geopolitical entities must adopt new strategies right now, such as advanced DDoS defense and suppression, to combat this growing sophistication in attacks that parallel the complexities of our new geopolitical reality.

**About the Author(s)**

Director, Security Solutions, Netscout

Gary is an industry veteran, bringing over 20 years of broad technology experience including routing and switching, wireless, mobility, collaboration, and cloud but always with a focus on security. His previous roles include solutions architect, security SME, sales engineering, consultancy, product management, IT and customer support. Prior to joining Netscout in 2012, he spent 12 years at Cisco Systems and held positions with Avaya and Cable & Wireless.

How Nation-State DDoS Attacks Impact Us All

Distributed denial-of-service attacks still plague the enterprise, but adding preventive measures can reduce their impact.

Source: Aleksey Funtap via Alamy Stock Photo

In the security profession, controls are one of the main tools we use to reduce risk. In doing so, we leverage a mix of preventive and detective controls. As the name suggests, preventive controls are designed to reduce the potential that a given threat will negatively affect a given environment.

Of course, preventive controls don't always work as designed, and some threats will always get through them. To supplement this protection, detective controls are also used. Detective controls identify security issues soon after they occur, so that they can be remediated before too much damage has occurred.

Using preventive and detective controls in tandem is a routine practice that is applied across many areas in the security space, including network security, application security, endpoint protection, identity and access management, and cloud security.

That is by no means an exhaustive list — this practice is applied in myriad areas within the security space. You can imagine my surprise, then, that one area is noticeably lacking the powerful combination of preventive and detective controls: distributed denial-of-service (DDoS) protection.

**Why DDoS Is Still a Problem**

DDoS is a significant problem for most businesses. According to MazeBolt, a DDoS security company, 60% of businesses lose at least $120,000 due to DDoS attacks, while 15% of businesses lose at least $1 million. Even with the best DDoS protections in place, businesses still suffer from 30% to 75% exposure of their online services to DDoS, MazeBolt says. This means that DDoS is a serious problem confronting the industry — and one that is not getting the preventive controls it needs.

Perhaps that will surprise you, too. When it comes to DDoS, organizations focus mainly on detection and mitigation. They purchase DDoS mitigation solutions, but they don't give much thought to protecting the organization from attack in the first place. We as a profession don't seem to focus much on DDoS preventive controls, despite the fact that the US Cybersecurity and Infrastructure Security Agency (CISA) recommends doing so in its latest DDoS mitigation guidance.

It may seem odd, but historically, there are reasons for this, such as the difficulty in checking for vulnerabilities and susceptibility to DDoS in a nondisruptive manner.

**5 Steps to Round Out DDoS Protection**

So once an organization decides to take a more well-rounded approach to DDoS, what are some steps it should follow to ensure it is adequately protected? I've offered a few thoughts here.

1\. Check for vulnerabilities. Organizations should ensure that they check for vulnerabilities and susceptibility to DDoS at layers 3, 4, and 7 of the OSI model. This is easier said than done, of course. This requires being nondisruptive in identifying vulnerabilities. Taking down the infrastructure in the name of DDoS security would not be a good thing.

2\. Stay nondisruptive. No one needs their DDoS risk reduced at the cost of disrupting business operations and impacting revenue, uptime, and customer satisfaction. There is a better way — namely, new nondisruptive, nonintrusive methods to identify and enumerate infrastructure vulnerabilities that expose an organization to additional DDoS risk.

3\. Understand the environment. The best way to ensure that no infrastructure vulnerabilities are missed is to know the environment well. This is the case regardless of how complex the environment is, and even if that environment involves hybrid and multicloud environments. Understanding the environment is the best way to eliminate blind spots. That, in turn, makes the vulnerability identification and remediation process far more thorough and effective.

4\. Establish and follow a process. Organizations should have a process to document and prioritize vulnerabilities for remediation. This ensures that things do not fall through the cracks and reduces the potential for oversight and human error. Even with the best process, organizations will still need determination and follow-through to remediate the vulnerabilities they have identified. DDoS security is a marathon, not a sprint.

5\. Iterate your security steps. DDoS security, like many areas within the security field, is not a one-time activity. Organizations need to continually test for new or persistent vulnerabilities within the infrastructure. They need to ensure that they are continually aware of changes to the environment so that they can retain the requisite level of understanding and knowledge of the environment. Organizations will also need to continually stick to and follow their process to ensure that vulnerabilities are remediated in a timely manner. Simply put, DDoS security is an effort that requires continuous attention.

Like many areas in the security space, DDoS security leverages both preventive and detective controls — or at least it should. For a variety of reasons, our historical focus around DDoS has been primarily on detection and mitigation of DDoS attacks. We as a field are long overdue for leveraging preventive controls in the DDoS security area.

**About the Author(s)**

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Proper DDoS Protection Requires Both Detective and Preventive Controls

A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks.
The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News.
"Its primary method of operation

Tag

#ddos