Cloudflare on Wednesday disclosed that it acted to mitigate a 15.3 million request-per-second (RPS) distributed denial-of-service (DDoS) attack. The web infrastructure and website security company called it one of the "largest HTTPS DDoS attacks on record." 
"HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS

Cloudflare on Wednesday disclosed that it acted to mitigate a 15.3 million request-per-second (RPS) distributed denial-of-service (DDoS) attack. The web infrastructure and website security company called it one of the "largest HTTPS DDoS attacks on record."

"HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection," Cloudflare's Omer Yoachimik and Julien Desgats said. "Therefore it costs the attacker more to launch the attack, and for the victim to mitigate it."

The volumetric DDoS attack is said to have lasted less than 15 seconds and targeted an unnamed Cloudflare customer operating a crypto launchpad.

Volumetric DDoS attacks are designed to overwhelm a target network/service with significantly high volumes of malicious traffic, which typically originate from a botnet under a threat actor's control.

Cloudflare said the latest attack was launched from a botnet comprising roughly 6,000 unique compromised devices, with 15% of the attack traffic originating from Indonesia, followed by Russia, Brazil, India, Colombia, and the U.S.

"What's interesting is that the attack mostly came from data centers," Yoachimik and Desgats noted. "We're seeing a big move from residential network Internet Service Providers (ISPs) to cloud compute ISPs."

Record-setting DDoS attacks have become increasingly common in recent months. In August 2021, Cloudflare disclosed what it characterized as the largest application-layer attack ever seen, and, earlier this year, Microsoft revealed that it had prevented multiple DDoS attacks that crossed 2.4 terabits per second (Tbps).

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

CloudFlare Thwarts Record DDoS Attack Peaking at 15 Million Requests Per Second

The startup is the latest company to try to solve the problem of organizing and sharing secrets.

Secrets management continues to be an ongoing challenge in application security, as developers struggle to organize secrets used in source code and manage distributed systems and infrastructure.

The latest startup to address this space is Doppler, whose platform helps developers securely store, transmit, and audit secrets. The Doppler platform syncs secrets across devices, environments, and team members so that developers don't wind up sharing secrets on insecure platforms (such as Slack or email) or including them within .git and .zip files. The platform can also handle secrets rotation, and it sends developers alerts over Slack and Microsoft Teams to inform them when the secrets are changed.

Secrets refer to sensitive pieces of data, such as tokens, encryption keys, API keys, and digital certificates. A survey by 1Password last year found that 65% of companies juggle more than 500 secrets, and 18% said they have "more than they can count."

The secrets are scattered across source code, container and infrastructure images, and configuration files. Over 6 million secrets were detected in scans of public GitHub repositories in 2021, according to GitGuardian's State of Secrets Sprawl 2022 report.

Adversaries routinely attempt to intercept these secrets in order to gain access to cloud environments, help with lateral movement, and access data in applications. Earlier this month, GitHub said adversaries were able to download private data from some organizations using Heroku and Travis-CI after stealing a handful of OAuth tokens used by those two platforms. Last year, attackers compromised Codecov and stole secrets belonging to Codecov's customers. Those secrets were then used to compromise the customers.

1Password estimates the cost of a company losing control of its secrets at $1.2 million per year.

**Security Management Is Key**  
Enterprises need processes in place to handle secrets management, such as inventorying what secrets they have, controlling access, sharing secrets safely with collaborators, and promptly revoking those secrets when they are exposed. It also needs to be scalable, considering the sheer number of secrets developers are using, and not time-intensive.

In the same 1Password survey, DevOps and IT workers said they spend an average of 25 minutes each day managing secrets – which the company estimated to add up to an annual payroll expense of roughly $8.5 billion.

Secrets management is shaping up to be a fairly crowded market. HashiCorp Vault offers a vault for teams to securely store tokens, passwords, certificates, and encryption keys. 1Password acquired SecretHub last year, which was the basis for its 1Password Secrets Automation service. Cloud giants Amazon Web Services and Google Cloud offer AWS Secrets Manager and Secrets Manager, respectively. GitHub, GitLab, and Atlassian all offer various levels of secrets-scanning tools for their code repositories.

Then there's Doppler, which recently raised $20 million as part of a series A funding round.

"The ability to securely store, transmit and audit secrets has never been more critical as one minor error can lead to catastrophic results," said Murat Bicer, a general partner at CRV (which led the funding round), in a statement. "In a world where putting a single space in the wrong place can literally take down a company's entire website, Doppler makes it easy to prevent leaks and outages with their developer focused approach."

Doppler Takes on Secrets Management

Acquisition expands security software-as-a-service capabilities.

Cloudflare Flags Largest HTTPS DDoS Attack It's Ever Recorded

This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.

April 29, 2022

This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.

by Dark Reading Staff, Dark Reading

April 29, 2022

1 min read

Article

Explainable AI for Fraud Prevention

As the use of AI- and ML-driven decision-making draws transparency concerns, the need increases for explainability, especially when machine learning models appear in high-risk environments.

April 28, 2022

As the use of AI- and ML-driven decision-making draws transparency concerns, the need increases for explainability, especially when machine learning models appear in high-risk environments.

by David Utassy, Data Scientist, SEON

April 28, 2022

4 min read

Article

Tenable Acquires External Attack Surface Management Vendor for $44.5M

Acquisition will add Internet-facing attack surface mapping and monitoring to Tenable's internal asset management products.

April 26, 2022

Acquisition will add Internet-facing attack surface mapping and monitoring to Tenable's internal asset management products.

by Dark Reading Staff, Dark Reading

April 26, 2022

1 min read

Article

API Attacks Soar Amid the Growing Application Surface Area

With Web application programming interface (API) traffic growing quickly, the average cloud-focused company sees three times more attacks.

April 26, 2022

With Web application programming interface (API) traffic growing quickly, the average cloud-focused company sees three times more attacks.

by Robert Lemos, Contributing Writer

April 26, 2022

5 min read

Article

Ukraine Invasion Driving DDoS Attacks to All-Time Highs

Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.

April 25, 2022

Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.

by Dark Reading Staff, Dark Reading

April 25, 2022

2 min read

Article

Sophos Buys Alert-Monitoring Automation Vendor

Acquisition of cloud-based alert security company will help Sophos automate tasks bogging down security teams, the company says.

April 22, 2022

Acquisition of cloud-based alert security company will help Sophos automate tasks bogging down security teams, the company says.

by Dark Reading Staff, Dark Reading

April 22, 2022

1 min read

Article

Devo Acquires Threat Hunting Company Kognos

Acquisition will blend autonomous threat hunting with cloud-native security analytics for automating security tasks.

April 21, 2022

Acquisition will blend autonomous threat hunting with cloud-native security analytics for automating security tasks.

by Dark Reading Staff, Dark Reading

April 21, 2022

1 min read

Article

Okta Wraps Up Lapsus$ Investigation, Pledges More Third-Party Controls

Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.

April 20, 2022

Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.

by Robert Lemos, Contributing Writer

April 20, 2022

5 min read

Article

Security-as-Code Gains More Support, but Still Nascent

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

April 18, 2022

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

by Robert Lemos, Contributing Writer

April 18, 2022

5 min read

Article

CISA Alert on ICS, SCADA Devices Highlights Growing Enterprise IoT Security Risks

Omdia Senior Analyst Hollie Hennessy says the new threat to multiple ICS and SCADA devices underscores the importance of a rapid response to IoT and OT security risks.

April 15, 2022

Omdia Senior Analyst Hollie Hennessy says the new threat to multiple ICS and SCADA devices underscores the importance of a rapid response to IoT and OT security risks.

by Hollie Hennessy, Senior Analyst, IoT Cybersecurity, Omdia

April 15, 2022

3 min read

Article

How IP Data Can Help Security Professionals Protect Their Networks

Beefing up security requires a combination of forensic efforts and proactive mitigation. IP context aids both.

April 05, 2022

Beefing up security requires a combination of forensic efforts and proactive mitigation. IP context aids both.

by Jonathan Tomek, VP of Research and Development, Digital Envoy

April 05, 2022

5 min read

Article

Will the Biggest Clouds Win? Lessons From Google's Mandiant Buy

Google eventually won out in the competition for Mandiant, but Microsoft's interest underscores the trend in consolidation of security services into large cloud providers, experts say.

March 21, 2022

Google eventually won out in the competition for Mandiant, but Microsoft's interest underscores the trend in consolidation of security services into large cloud providers, experts say.

by Robert Lemos, Contributing Writer

March 21, 2022

5 min read

Article

Cut Down on Alert Overload and Leverage Layered Security Measures

Feeling overwhelmed by the number of alerts? It doesn't have to be that way.

March 17, 2022

Feeling overwhelmed by the number of alerts? It doesn't have to be that way.

by Jason Manar, Chief Information Security Officer, Kaseya

March 17, 2022

4 min read

Article

VPNs Give Russians an End Run Around Censorship

As the invasion of Ukraine continues, Russian citizens have turned to virtual private networks — boosting demand for the software by 27x — to circumvent the government's blocks on social media and news sites critical of the war.

March 16, 2022

As the invasion of Ukraine continues, Russian citizens have turned to virtual private networks — boosting demand for the software by 27x — to circumvent the government's blocks on social media and news sites critical of the war.

by Robert Lemos, Contributing Writer

March 16, 2022

4 min read

Article

How Enterprises Can Get Used to Deploying AI for Security

It's important to take a "trust journey" to see how AI technology can benefit an organization's cybersecurity.

March 11, 2022

It's important to take a "trust journey" to see how AI technology can benefit an organization's cybersecurity.

by Fahmida Y. Rashid, Features Editor, Dark Reading

March 11, 2022

4 min read

Article

Synopsys to Acquire WhiteHat Security from NTT

Internet-facing zero-day vulnerabilities were the most commonly used types of bugs in 2021 attacks, according to the international Joint Cybersecurity Advisory (JCSA).

Log4Shell, despite being disclosed only at the end of the year, topped 2021's list of most-exploited vulnerabilities, according to the Cybersecurity and Infrastructure Agency (CISA). The agency compiled the findings along with the cybersecurity agencies of Australia, Canada, New Zealand, and the United Kingdom. 

"Globally in 2021, malicious cyberactors targeted Internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities," CISA reported in its announcement of the findings.  "For most of the top exploited vulnerabilities, researchers or other actors released proof-of-concept (PoC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors." 

The top most commonly exploited vulnerabilities, according to CISA, include Log4Shell, which affects Apache’s Log4j library, and the ProxyLogon and ProxyShell vulnerabilities, which are bugs in Microsoft Exchange email servers.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA: Log4Shell Was the Most-Exploited Vulnerability in 2021

The Botnet appears to use a new delivery method for compromising Windows systems after Microsoft disables VBA macros by default.

The Botnet appears to use a new delivery method for compromising Windows systems after Microsoft disables VBA macros by default.

Emotet malware attacks are back after a 10-month “spring break” – with criminals behind the attack rested, tanned and ready to launch a new campaign strategy. That new approach includes more targeted phishing attacks, different from the previous spray-and-pray campaigns, according to new research.

Proofpoint analysts linked this activity to the threat actor known as TA542, which since 2014 has leveraged the Emotet malware with great success, according to a Tuesday report.

Emotet, once dubbed “the most dangerous malware in the world” is being leveraged in its most recent campaign to deliver ransomware. Those behind distributing the malware have been in law enforcement’s crosshairs for years.  In  January  2021, authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States worked together to take down a network of hundreds of botnet servers supporting Emotet, as part of “Operation LadyBird.”

The latest activity observed by researchers occurred while Emotet was on a “spring break.” Efforts were lowkey and likely an attempt to test new tactics without drawing attention. Now, researchers say TA542 has ramped up attacks to typical high-volume threat campaigns. “The threat actor has since resumed its typical activity,” Proofpoint said.

Cybersecurity researchers from AdvIntel, Crypolaemus confirmed Proofpoint’s observations, both observing the Emotet’s return after a 10-months gap. According to those researchers, attackers behind the malware have sent millions of phishing emails designed to infect the devices with malware and can be controlled by botnets.

> 2021-11-14: 🔥The "#Emotet partner ($) loader" program appears resorcing from existing #TrickBot infections.
> 
> 📌TrickBot launched what appears to be the newer Emotet loader.  
> 👇https://t.co/nVugStaAvE https://t.co/GHupFlENaQ
> 
> — Vitali Kremez (@VK\_Intel) November 15, 2021

****New Phase of Emotet****

In its report, Proofpoint researchers noted that this new testing of phishing emails could be the result of Microsoft’s actions to disable specific macros associated with Office apps in February 2022. At the time Microsoft said it was changing defaults for five Office apps that run macros.  This prevents attackers from targeting documents with automation services to execute the malware on victims’ systems.

According to cybersecurity researchers at Proofpoint, the new techniques observed in recent campaigns appeared to be tested on a smaller scale, as a test for potential be used for a larger campaign.

The new campaigns use compromised email accounts to send out spam-phishing emails with a one-word headline. Common terms in phishing attacks included “salary” are used to encourage users to click out of curiosity, found by the ProofPoint cybersecurity researchers.

The message body contains a OneDrive URL. This URL hosts Zip files containing Microsoft Excel Add-in (XLL) files with a similar name to the email subject line.

If these XLL files are opened and executed, Emotet will infect the machine with malware. Further, it can steal the information or create a backdoor for deploying other malwares to compromise the Windows system.

According to cybersecurity researchers at Proofpoint, the use of OneDrive URLs and XLL makes this campaign distinct from previous ones. Earlier Emotet attempted to spread itself via Microsoft Office attachments or phishing URLs. Those malicious payloads included Word and Excel documents containing Visual Basics for Applications (VBA) scripts or macros.

The attacks associated with this new campaign took place between April 4, 2022 and April 19, 2022, when other widespread Emotet campaigns were put on hold, researchers said.

“After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs (Tactics, Techniques, and Procedures) alongside its existing high-volume campaigns,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.

“Organizations should be aware of the new techniques and ensure they are implementing defenses accordingly,” she added.

“Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable” DeGrippo explained.

In another development malware, authors patched the issue, which prevented potential victims from getting compromised upon clicking on the malicious email attachments.  

Reported By: Sagar Tiwari, an independent security researcher and technical writer.

Emotet is Back From ‘Spring Break’ With New Nasty Tricks

Miele Benchmark Programming Tool versions 1.1.49 and 1.2.71 suffer from a privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20220427-0 >  
=======================================================================  
               title: Privilege Escalation  
             product: Miele Benchmark Programming Tool  
  vulnerable version: at least 1.1.49 and 1.2.71  
       fixed version: 1.2.72  
          CVE number: CVE-2022-22521  
              impact: Medium  
            homepage: https://www.miele.com/  
               found: 2022-01-24  
                  by: J. Kruchem (Office Vienna)  
                      W. Schober (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"There are many good reasons for choosing Miele. Since the company's founding in  
1899, Miele has remained true to its "Immer Besser" brand promise. This means  
that we will do all that we can to be "Immer Besser" (forever better) than our  
competitors and "Immer Besser" (forever better) than we already are. For our  
customers, this means the peace of mind of knowing that choosing Miele is a  
good decision – and probably the decision of a lifetime."

Source: https://www.mieleusa.com/c/about-us-9.htm

Business recommendation:  
------------------------  
The vendor provides a patched version which should be installed immediately.

An in-depth security analysis performed by security professionals is highly advised,  
as the software may be affected from further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Privilege Escalation (CVE-2022-22521)  
The path where the Miele Benchmark Programming Tool is installed is writable  
for any user on the Windows operation system. This allows replacing the Uninstall  
binary and thus an attacker gaining local admin privileges if uninstalled.

Proof of concept:  
-----------------  
1) Privilege Escalation (CVE-2022-22521)  
The Uninstall string can be found in the following registry entry:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{<UUID of Miele Benchmark Programming>}

The UninstallString field has the following value:

UninstallString  
"C:\MIELE_SERVICE\Miele Benchmark Programming Tool\Uninstall Miele Benchmark Programming Tool.exe" /allusers

For exploitation, replace the "Uninstall Miele Benchmark Programming Tool.exe"  
with a malicious binary and uninstall via Software Center or call the admin  
and let them uninstall the Miele Benchmark Programming Tool.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested, which were the latest versions available  
during the time of the test:

* 1.1.49  
* 1.2.71

Other (lower) software versions may be affected as well.

Vendor contact timeline:  
------------------------  
2022-03-21: Contacting vendor through psirt@miele.com  
2022-03-22: Vendor answered that they will check the provided information  
2022-04-07: Vendor confirmed the vulnerability and answered with aim to fix it asap  
2022-04-11: Vendor sent their advisory (including CVE) and fixed version  
2022-04-27: Coordinated release of advisory.

Solution:  
---------  
The vendor provides a patched version v1.2.72 which can be downloaded here:

https://www.miele.com/en/com/downloads-6770.htm

Workaround:  
-----------  
Adapt permissions of the C:\MIELE_SERVICE directory according to the least privilege  
principle.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF J. Kruchem / @2022

Miele Benchmark Programming Tool 1.1.49 / 1.2.71 Privilege Escalation

When KrebsOnSecurity last month explored how cybercriminals were using hacked email accounts at police departments worldwide to obtain warrantless Emergency Data Requests (EDRs) from social media and technology providers, many security experts called it a fundamentally unfixable problem. But don't tell that to Matt Donahue, a former FBI agent who recently quit the agency to launch a startup that aims to help tech companies do a better job screening out phony law enforcement data requests -- in part by assigning trustworthiness or "credit ratings" to law enforcement authorities worldwide.

When KrebsOnSecurity recently explored how cybercriminals were using hacked email accounts at police departments worldwide to obtain warrantless **Emergency Data Requests** (EDRs) from social media firms and technology providers, many security experts called it a fundamentally unfixable problem. But don’t tell that to **Matt Donahue**, a former FBI agent who recently quit the agency to launch a startup that aims to help tech companies do a better job screening out phony law enforcement data requests — in part by assigning trustworthiness or “credit ratings” to law enforcement authorities worldwide.

A sample Kodex dashboard. Image: Kodex.us.

Donahue is co-founder of Kodex, a company formed in February 2021 that builds security portals designed to help tech companies “manage information requests from government agencies who contact them, and to securely transfer data & collaborate against abuses on their platform.”

The 30-year-old Donahue said he left the FBI in April 2020 to start Kodex because it was clear that social media and technology companies needed help validating the increasingly large number of law enforcement requests domestically and internationally.

“So much of this is such an antiquated, manual process,” Donahue said of his perspective gained at the FBI. “In a lot of cases we’re still sending faxes when more secure and expedient technologies exist.”

Donahue said when he brought the subject up with his superiors at the FBI, they would kind of shrug it off, as if to say, “This is how it’s done and there’s no changing it.”

“My bosses told me I was committing career suicide doing this, but I genuinely believe fixing this process will do more for national security than a 20-year career at the FBI,” he said. “This is such a bigger problem than people give it credit for, and that’s why I left the bureau to start this company.”

One of the stated goals of Kodex is to build a scoring or reputation system for law enforcement personnel who make these data requests. After all, there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to abuse the EDR process is illicit access to a single police email account.

Kodex is trying to tackle the problem of fake EDRs by working directly with the data providers to pool information about police or government officials submitting these requests, and hopefully making it easier for all customers to spot an unauthorized EDR.

Kodex’s first big client was cryptocurrency giant **Coinbase**, which confirmed their partnership but otherwise declined to comment for this story. **Twilio** confirmed it uses Kodex’s technology for law enforcement requests destined for any of its business units, but likewise declined to comment further.

Within their own separate Kodex portals, Twilio can’t see requests submitted to Coinbase, or vice versa. But each can see if a law enforcement entity or individual tied to one of their own requests has ever submitted a request to a different Kodex client, and then drill down further into other data about the submitter, such as Internet address(es) used, and the age of the requestor’s email address.

Donahue said in Kodex’s system, each law enforcement entity is assigned a credit rating, wherein officials who have a long history of sending valid legal requests will have a higher rating than someone sending an EDR for the first time.

“In those cases, we warn the customer with a flash on the request when it pops up that we’re allowing this to come through because the email was verified \[as being sent from a valid police or government domain name\], but we’re trying to verify the emergency situation for you, and we will change that rating once we get new information about the emergency,” Donahue said.

“This way, even if one customer gets a fake request, we’re able to prevent it from happening to someone else,” he continued. “In a lot of cases with fake EDRs, you can see the same email \[address\] being used to message different companies for data. And that’s the problem: So many companies are operating in their own silos and are not able to share information about what they’re seeing, which is why we’re seeing scammers exploit this good faith process of EDRs.”

**NEEDLES IN THE HAYSTACK**

As social media and technology platforms have grown over the years, so have the volumes of requests from law enforcement agencies worldwide for user data. For example, in its latest transparency report mobile giant **Verizon** reported receiving 114,000 data requests of all types from U.S. law enforcement entities in the second half of 2021.

Verizon said _approximately 35,000 of those requests (~30 percent) were EDRs_, and that it provided data in roughly 91 percent of those cases. The company doesn’t disclose how many EDRs came from foreign law enforcement entities during that same time period. Verizon currently asks law enforcement officials to send these requests via fax.

Validating legal requests by domain name may be fine for data demands that include documents like subpoenas and search warrants, which can be validated with the courts. But not so for EDRs, which largely bypass any official review and _do not require the requestor to submit any court-approved documents_.

Police and government authorities can legitimately request EDRs to learn the whereabouts or identities of people who have posted online about plans to harm themselves or others, or in other exigent circumstances such as a child abduction or abuse, or a potential terrorist attack.

But as KrebsOnSecurity reported in March, it is now clear that crooks have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using illicit access to hacked police email accounts, the attackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person. That might explain why the compliance rate for EDRs is usually quite high — often upwards of 90 percent.

Fake EDRs have become such a reliable method in the cybercrime underground for obtaining information about account holders that several cybercriminals have started offering services that will submit these fraudulent EDRs on behalf of paying clients to a number of top social media and technology firms.

A fake EDR service advertised on a hacker forum in 2021.

An individual who’s part of the community of crooks that are abusing fake EDR told KrebsOnSecurity the schemes often involve hacking into police department emails by first compromising the agency’s website. From there, they can drop a backdoor “shell” on the server to secure permanent access, and then create new email accounts within the hacked organization.

In other cases, hackers will try to guess the passwords of police department email systems. In these attacks, the hackers will identify email addresses associated with law enforcement personnel, and then attempt to authenticate using passwords those individuals have used at other websites that have been breached previously.

**EDR OVERLOAD?**

Donahue said depending on the industry, EDRs make up between 5 percent and 30 percent of the total volume of requests. In contrast, he said, EDRs amount to less than three percent of the requests sent through Kodex portals used by customers.

KrebsOnSecurity sought to verify those numbers by compiling EDR statistics based on annual or semi-annual transparency reports from some of the largest technology and social media firms. While there are no available figures on the number of fake EDRs each provider is receiving each year, those phony requests can easily hide amid an increasingly heavy torrent of legitimate demands.

**Meta/Facebook** says roughly 11 percent of all law enforcement data requests — 21,700 of them — were EDRs in the first half of 2021. Almost 80 percent of the time the company produced at least some data in response. Facebook has long used its own online portal where law enforcement officials must first register before submitting requests.

Government data requests, including EDRs, received by Facebook over the years. Image: Meta Transparency Report.

**Apple** said it received 1,162 emergency requests for data in the last reporting period it made public — July – December 2020. Apple’s compliance with EDRs was 93 percent worldwide in 2020. Apple’s website says it accepts EDRs via email, after applicants have filled out a supplied PDF form. \[As a lifelong Apple user and customer, I was floored to learn that the richest company in the world — which for several years has banked heavily on privacy and security promises to customers — still relies on email for such sensitive requests\].

**Twitter** says it received 1,860 EDRs in the first half of 2021, or roughly 15 percent of the global information requests sent to Twitter. Twitter accepts EDRs via an interactive form on the company’s website. Twitter reports that EDRs decreased by 25% during this reporting period, while the aggregate number of accounts specified in these requests decreased by 15%. The United States submitted the highest volume of global emergency requests (36%), followed by Japan (19%), and India (12%).

**Discord** reported receiving 378 requests for emergency data disclosure in the first half of 2021. Discord accepts EDRs via a specified email address.

For the six months ending in December 2021, **Snapchat** said it received 2,085 EDRs from authorities in the United States (with a 59 percent compliance rate), and another 1,448 from international police (64 percent granted). Snapchat has a form for submitting EDRs on its website.

**TikTok**‘s resources on government data requests currently lead to a “Page not found” error, but a company spokesperson said TikTok received 715 EDRs in the first half of 2021. That’s up from 409 EDRs in the previous six months. Tiktok handles EDRs via a form on its website.

The current transparency reports for both **Google** and **Microsoft** do not break out EDRs by category. Microsoft says that in the second half of 2021 it received more than 25,000 government requests, and that it complied at least partly with those requests more than 90 percent of the time.

Microsoft runs its own portal that law enforcement officials must register at to submit legal requests, but that portal doesn’t accept requests for other Microsoft properties, such as LinkedIn or Github.

Google said it received more than 113,000 government requests for user data in the last half of 2020, and that about 76 percent of the requests resulted in the disclosure of some user information. Google doesn’t publish EDR numbers, and it did not respond to requests for those figures. Google also runs its own portal for accepting law enforcement data requests.

**Verizon** reports (PDF) receiving more than 35,000 EDRs from just U.S. law enforcement in the second half of 2021, out of a total of 114,000 law enforcement requests (Verizon doesn’t disclose how many EDRs came from foreign law enforcement entities). Verizon said it complied with approximately 91 percent of requests. The company accepts law enforcement requests via snail mail or fax.

Image: Verizon.com.

**AT&T** says (PDF) it received nearly 19,000 EDRs in the second half of 2021; it provided some data roughly 95 percent of the time. AT&T requires EDRs to be faxed.

The most recent transparency report published by **T-Mobile** says the company received more than 164,000 “emergency/911” requests in 2020 — but it does not specifically call out EDRs. Like its old school telco brethren, T-Mobile requires EDRs to be faxed. T-Mobile did not respond to requests for more information.

Data from T-Mobile’s most recent transparency report in 2020. Image: T-Mobile.

Fighting Fake EDRs With ‘Credit Ratings’ for Police

In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.

CVE-2022-27239: Linux CIFS Utils and Samba - Free Knowledge Base

Microsoft on Tuesday disclosed a set of two privilege escalation vulnerabilities in the Linux operating system that could potentially allow threat actors to carry out an array of nefarious activities.
Collectively called "Nimbuspwn," the flaws "can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other

![Privilege Escalation Flaws in Linux](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhG_jhh9hiswd2AzsR0aCo4MuEub8YtwWhf1ShIH_fynCfsJrWmtt2F85IXLzhTGtMEUD27Op_s2CnLgthjsCDhzTZWerBz5aaATkEYPH4sohkYbIUlb4DAGeEH1EF2H5_bIoqCvljCcU39hjYuYJuiErrVsn1WgPwMyHpOL9ZNHNy6jRL_HeTPxG_P/s728-e1000/linux-1.jpg "Privilege Escalation Flaws in Linux")

Microsoft on Tuesday disclosed a set of two privilege escalation vulnerabilities in the Linux operating system that could potentially allow threat actors to carry out an array of nefarious activities.

Collectively called "**Nimbuspwn**," the flaws "can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution," Jonathan Bar Or of the Microsoft 365 Defender Research Team said in a report.

![CyberSecurity](https://thehackernews.com/images/-SmHk9U6ikBk/YVHUUpxrNfI/AAAAAAAA4ac/xluSCU7878ErhlmIN9mj9pKf9fr3LTBwACLcBGAsYHQ/s300-e100/rewind-3-300.png)

On top of that, the defects — tracked as **CVE-2022-29799 and CVE-2022-29800** — could also be weaponized as a vector for root access to deploy more sophisticated threats such as ransomware.

The vulnerabilities are rooted in a systemd component called networkd-dispatcher, a daemon program for the network manager system service that's designed to dispatch network status changes.

![Privilege Escalation Flaws in Linux](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhVJDKavu6WCDP6IGF4F0G_sv-BbtjlKBhwhUC_JFsQKeZqoRBzFtxfMTeE5_PGpBJOx9OQm_TcJR6mjVi5OuNx9mE1LjwbVcMg9c-xZgCFkkGOB1aMQQnVDGhXPPpKOljAJeFldyneILzyLR7BZwQVeWJZfshu44s9XBov1nLQpS0FIrdFV8KOwOhy/s728-e1000/linux.jpg "Privilege Escalation Flaws in Linux")

Specifically, they relate to a combination of directory traversal (CVE-2022-29799), symbolic link (aka symlink) race, and time-of-check to time-of-use (CVE-2022-29800) flaws, leading to a scenario where an adversary in control of a rogue D-Bus service can plant and execute malicious backdoors on the compromised endpoints.

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

Users of networkd-dispatcher are highly recommended to update their instances to the latest version to mitigate potential arising out of exploiting the flaws.

"The growing number of vulnerabilities on Linux environments emphasize the need for strong monitoring of the platform's operating system and its components," Bar Or said.

"This constant bombardment of attacks spanning a wide range of platforms, devices, and other domains emphasizes the need for a comprehensive and proactive vulnerability management approach that can further identify and mitigate even previously unknown exploits and issues."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft