Cyber Week in Review: D-Link Router, MySQL Servers & CloudFlare

Media Division | March 10, 2017

Ranking cyber vulnerabilities is a bit like asking, “Which bones would you most like to break?”  Um…none.  But with countless broken internet-accessible bones around the globe each day, they inevitably have an inherent ranking.  Cause the internet to slow down, it’s like stubbing a toe.  Turn out the power for even one minute, that’s more like breaking a foot.  Break an arm, well, you do have another.

When you’re ranking attacks that undermine the very fabric of your business infrastructure, well, it’s hard to find a physical comparison, but let’s call it a broken leg.  This week, you may have two broken legs.

Fortunately, vulnerabilities have a shorter heal time, provided updates are done the moment such weaknesses are identified. No cast required.

D-Link and Your Botnet Army Recruits

D-Link is one of the global leaders in Wi-Fi devices, but also no stranger to unfortunate vulnerabilities.  For example, back in 2015, a DNS remote hijacking vulnerability was identified in many DSL router models.  Computerworld reported the exploit, quoting a Bulgarian security researcher who said, “The vulnerability is actually in ZynOS, a router firmware developed by ZyXEL Communications that’s used in products from multiple networking equipment manufacturers, including D-Link, TP-Link Technologies, and ZTE.”

That was before remote hijacking and DDoS attacks, fueled by a botnet army, had made quite so many headlines; internet years are a bit like “dog years” and 2 years ago might as well be fourteen.

Yet here we are, two (or 14, depending on how you count) years later and flaws in a D-Link device might unintentionally be signing up botnet army recruits for mandatory service.  This time it’s the DGS-1510 enterprise switch kit.  The switch has a security bug, remotely exploitable, that bypasses authentication and performs local commands.

Fortunately, D-link has already released a patch, so go ahead and flood them with customer service requests if you’ve been using the DGS-1510.  Everyone loves a flood of input data, right?

Your-S.Q.L Held for Ransom

MySQL servers are only one of the most popular database systems in the world, so of course, black hat hackers would look for exploits, particularly with the increased popularity of ransoming data for anonymous Bitcoin.

Out of a server in the Netherlands has come another headliner this week: the remote attack of MySQL servers that attacks dumps database contents deletes data and then holds it for ransom.

A Tor-hosted website then tells victims how to pay in Bitcoin (to the tune of about $235).

Ransom-based attacks like this with a low price tag often bank on the likelihood of a business saying, “That’s not very much money” and paying it (LOTS of people paying it)—after all, your data is worth much more than that in terms of the success of your business operations.

Before you do, here are a few key points to consider:

  • Do they even really have your data? In some cases, they have not. Go ahead and ask for proof.
  • Have you been doing automated server backups that delete the MySQL root account? If so, you have a backup to go to and do not need to stress (and what they have may be a very small amount of your data).
  • Do you have super tough passwords? If so, the brute-force methods used by these attackers would likely be ineffective.
  • What’s your cybersecurity protocol? Do you consult a cybersecurity agency to at least minimize the damage?

If you have to learn this lesson the hard way, so be it.  If it hasn’t yet happened to you, go ahead and implement any of the above security measures that you have not been utilizing and keep your MySQL your own.

CloudBleed Sets the Internet Ablaze

We all remember Heartbleed.  (Pause to groan).  Now a CloudFlare vulnerability has been dubbed CloudBleed, because of the seriousness of the weakness: client IP addresses, passwords, cookies, keys, data, even full-text responses, all available to the attacker through a remotely accessible server vulnerability.  The entire CloudFlare network and mobile apps have a potential weakness to this bug.

CloudFlare handles edge server optimization and security, but in passing data through buffers it was able to return memory with private data, due to a leakage in an HTML parser chain.

After learning of the vulnerability, CloudFlare immediately disabled three features: email obfuscation, server-side excludes and automatic HTTPS rewrites, associated with the affected HTML chain.

To be safe, you can reset passwords on your accounts that may have been remotely using CloudFlare (err on the side of changing passwords quarterly, anyway).  If you use CloudFlare for your own websites, set up a required password change for all of your users.

Lessons Learned

Fortunately, in the information age, we can quickly learn from the mistakes of others and thereby avoid them ourselves.  Botnet feeds are an important tool that provides real-time botnet tracking allowing for action and interception, saving your equipment from remotely joining a botnet army.

Until next week—enjoy the headlines, but stay out of them.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.