DDoS IP Protection: A New, Low-Cost Option for SMB

Microsoft announced the Azure DDoS IP Protection released as a public preview on October 19, 2022. Small and medium-sized businesses (SMBs) can now benefit from DDoS protection with a pricing model customized to their specifications.

DDoS Protection provides similar capabilities to DDoS Network Protection (previously known as DDoS Protection Standard). It is designed for enterprises and organizations to protect significant deployments of resources against DDoS attacks.

This new SKU includes all the essential features, such as automatically detecting and mitigating L3/L4 attacks, metrics and alerts, mitigation flow logs, and mitigation policies tailored to the customer’s needs. It also includes Azure Firewall Manager, Microsoft Sentinel, and Microsoft Defender for Cloud Integration.

Unlike the DDos Network Protection product, DDoS IP Protection does not include DDoS rapid response support, cost protection, or WAF discounts.

According to Amir Dahan, Microsoft’s senior product manager for Azure Networking, “With the DDoS IP Protection SKU, customers now have the flexibility to enable DDoS protection on individual public IP addresses. This low-cost DDoS protection option is ideal for SMB clients who only need to secure a handful of public IP addresses.

Azure’s global network provides cloud-scale DDoS protection so that users can defend their workloads against sophisticated DDoS threats. Users can minimize false negatives while protecting their apps and resources by tuning the application’s scale and actual traffic patterns. In near real-time, users can monitor and respond to DDoS attacks based on visibility into the attack lifecycle, vectors, and mitigation.

With Azure’s firewall manager, users can manage their DDoS protection and other network security services in one place. Microsoft Defender for Cloud security sends alerts and recommendations to the user. In addition, Microsoft Sentinel’s rich attack analytics and telemetry integration allow users to strengthen their security measures.

Upon enrollment, customers can enable the Public IP Standard SKU with DDoS IP protection in selected regions. Within the Azure Preview Portal, the SKU can be managed under the Azure DDoS Protection configuration window.

Billing for the new DDoS IP Protection will begin on February 1, 2023.

DDoS IP Protection is an excellent solution for SMBs that need to secure their public IP addresses against DDoS threats. It offers similar capabilities as DDoS Network Protection but at significantly lower prices. This makes it an ideal choice for small and medium-sized businesses looking to take advantage of Azure’s world-class DDoS protection without breaking the bank.

Fortinet Security Updates

Fortinet addressed a critical vulnerability that gave remote access to numerous services and was being exploited by threat actors in the wild.

The company described the vulnerability as an authentication bypass on the admin interface, allowing unauthenticated users to connect to FortiProxy web proxies, FortiGate firewalls, and FortiSwitch Manager on-prem management instances. Specifically, the flaw (CVE-2022-40684) is an authentication bypass on the administrative interface that allows remote threat actors access to the previously mentioned services.

In a customer support bulletin released today, Fortinet explains that “an authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.”

The company stated, “This is a critical vulnerability and should be addressed with the utmost urgency.”

Fortinet advised customers using the vulnerable versions to upgrade immediately since it is possible to exploit the problem remotely.

Over 100,000 FortiGate firewalls may be accessed from the Internet, according to a Shodan search; however, it’s uncertain if their control interfaces are also affected.

In addition, the business stated that the fix was deployed on Thursday and alerted some of its clients via email, asking them to disable remote management user interfaces “immediately.”

A few days after issuing the fix, the business provided more information, stating it had discovered proof of at least one real-world campaign using the flaw.

According to the company, “Fortinet is aware of an instance where this vulnerability was exploited and recommended immediately validating your systems against the following indicator of compromise in the device’s logs: user=”Local_Process_Access.”

The following products are susceptible to attacks attempting to exploit the CVE-2022-40 flaw:

FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1

FortiProxy: From 7.0.0 to 7.0.6 and 7.2.0

FortiSwitchManager: Versions 7.0.0 and 7.2.0

In today’s customer support advisory, Fortinet stated that susceptible devices should be updated to FortiOS 7.0.7 or 7.2.2 and above, FortiProxy 7.0.7 or 7.2.1 and above, and FortiSwitchManager 7.2.1 or above after the company published security fixes on Thursday.

The Fortinet CVE-2022-40684 authentication bypass vulnerability is a critical flaw that allows remote access to numerous services. The company has released security fixes and advises customers to upgrade immediately. Additionally, Fortinet recommends that the internet-facing HTTPS Administration be immediately deactivated until the upgrade can be completed.

Personal Information Compromised in City of Tucson Data Breach

 In light of a recent data breach, the City of Tucson, Arizona, is alerting approximately 123,000 citizens that their personal information has been compromised. The issue was detected in May 2022, but the city’s investigation didn’t conclude until last month.

As detailed in the notification addressed to those impacted by the data breach, an attacker infiltrated the city’s network and exfiltrated a large number of sensitive files.

Between May 17 and May 31, the threat actors obtained access to the network and stole essential documents containing the personal information of over 123,000 people.

The data breach notification states, “On May 29, 2022, the City learned of suspicious behavior using a user’s network account credentials.” Additionally, “On August 4, 2022, the City discovered that certain files may have been copied and removed from its network.”

The city disclosed in a separate notice, “On September 12, this review concluded, and the review determined that the information at issue included certain personal information.”

The city began contacting potentially affected individuals on September 23, informing them that the attackers may have gained access to their names and Social Security numbers, among the sensitive personal information exposed during the incident.

The notification letters issued to the affected individuals also stated that, at the moment, there’s no proof of personal data being used for fraudulent activities.

Affected individuals are encouraged to monitor their credit reports for any unusual activities that may point to identity theft or fraud using their personal information.

For those affected, the city is giving free credit monitoring and identity protection services from Experian for an entire year, as well as advice on how to avoid being a victim of identity theft.

The city is committed to protecting residents’ personal information as it continues to review its existing policies and procedures regarding cybersecurity and evaluate additional measures and safeguards to protect against this type of event.

Akamai Finds 13 Million Malicious Domains Each Month

According to a new Akamai analysis, the company’s experts classified about 79 million domains as dangerous in the first half of 2022; based on a NOD (newly observed domain) dataset, this is about 13 million malicious domains per month, representing 20.1% of all the successfully resolved NODs.

According to Akamai, a NOD is any domain queried for the first time in the last 60 days. And by “malicious,” it means a domain name that leads to a site meant to phish, spread malware or do some other kind of damage online.

Akamai said, “[The NOD dataset] is where you find freshly registered domain names, typos, and domains that are only very rarely queried on a global scale.” The company observes about 12 million new NODs daily, of which slightly more than 2 million are successfully resolved.

The organization uses relatively simple procedures to determine whether a domain is harmful or not. With the assistance of the larger cybersecurity community, Akamai compiled a 30-year predictive list of known domain generation algorithms (DGAs) that may be used to detect domains registered with DGAs.

Since DGA domains may be created in quantity for even temporary campaigns, hackers frequently use them to distribute malware and host phishing pages. Think of DGAs as places on the internet where malware and other things can meet up and use them.

According to the company, most of Akamai’s malicious domain detections come from the “more than 190 NOD-specific detection criteria” it employs for NOD-based detection. They also mentioned that among the 79 million malicious NODs it discovered in the first half of the year, there were only 0.00042 percent false positives.

There are other options than Akamai’s NOD detection, such as Cisco’s “newly seen domain” detection system, which scans DNS data and alerts users to potentially dangerous websites.

Although it’s unclear how those services stack up against Akamai’s, their end objectives seem to be comparable and indicate that NODs are a well-known security issue that other businesses are seeking to address.

Intel Confirms Leak of Alder Lake BIOS Source Code

After a source code leak was posted by an unidentified third party on 4chan and GitHub last week, the technology giant Intel has confirmed that confidential source code related to its Alder Lake CPUs has been leaked.

The disclosed information comprises UEFI (Unified Extensible Firmware Interface) code for the company’s 12th-generation CPUs that were released in November 2021.

It is believed that the leaked data also contained multiple references to Lenovo, including code used for integration with Lenovo String Service, Lenovo Cloud Service, and Lenovo Secure Suite.

According to Intel, the source code is genuine and is their “exclusive UEFI code.” Furthermore, the technology giant stated that it doesn’t believe this exposes any new security vulnerabilities as it does not rely on the obfuscation of information as a security measure.

Sources from Hardened Vault noted that attackers can still gain significantly from the breaches even if the disclosed OEM implementation is only partially deployed in production.

According to other sources, a private encryption key called KeyManifest, which is used to protect Intel’s Boot Guard platform, was also exposed in the breach.

It is unknown whether or not the compromised private key is used in production. Still, if it is, it might allow hackers to alter the boot policy of Intel’s firmware and bypass the company’s hardware-level security measures.

Despite the fact that the source of the leak remains unknown, it’s clear that sensitive information about Intel’s Alder Lake CPUs has been exposed. This breach might allow attackers to exploit security measures put in place by Intel. If you have discovered a vulnerability in the source code, you can report it to Intel’s Project Circuit Breaker bug reward program. Depending on the severity of the issue, you could be eligible for a reward of up to $100,000.