This Month in Cyber Security: February 2023

In this month’s news, we’ve seen the largest HTTP DDoS attack reported to date, a web hosting giant suffered a major breach, Twitter announced the implementation of payments for multi-factor authentication, and a new evasive malware named ‘Beep’ was discovered by cyber security researchers.

Continue reading to learn more about the cyber security headlines from February, and find out our thoughts!

Cloudflare hit by HTTP DDoS attack

On the 13th of February, web infrastructure giant, Cloudflare, announced a record-breaking distributed denial-of-service (DDoS) attack that peaked at over 71 million requests per second. Experts have referred to the attack as a hyper-volumetric attack, as the largest HTTP DDoS attack reported to date.

The DDoS attack originated from over 30,000 IP addresses, and targeted websites protected by Cloudflare including hosting providers, cloud computing platforms, and a popular gaming provider.

In a public statement, Cloudflare have revealed the attacks originated from numerous cloud providers, and those working behind the global network have been working with them to crack down on the botnet.

GoDaddy source code stolen by hackers

Web hosting giant GoDaddy suffered a breach, after hackers were successful in stealing source code and installing malware on its servers.

After internal investigation, it was revealed attackers had access to the company's network for several years, despite GoDaddy only discovering the breach in December 2022 after customers reported their websites were redirecting to unknown domains. It was also announced that GoDaddy breaches disclosed in November 2021 and March 2020 were linked to the same hackers.

GoDaddy is now working with cyber security forensics experts and law enforcement agencies as part of an ongoing investigation.

The news follows on from last month after video game developer, Riot Games, fell victim to a cyber attack in which the source codes for League of Legends and Teamfight Tactics were stolen.

Payments for Twitter 2FA

Twitter has been back and forth in the news in recent months. Last month, it was announced that the social giant fell victim to yet another major data leak, and this month, it was announced that the use of SMS-based two-factor authentication (2FA) was limited to Twitter Blue subscribers.

Non-Blue Twitter users that previously enrolled for SMS-based 2FA will have until the 20th of March, 2023, to switch to an alternative method of authentication, such as an authenticator app or a hardware security key. After this cutoff date, this option will be disabled unless a user enrolls to Twitter Blue. This means that only users who choose to pay for a Twitter Blue subscription $8/£8 per month or $84/£84 per year) can still use 2FA.

Twitter previously announced only 2.6% of all active accounts have enabled at least one form of 2FA, with 74% using SMS as their 2FA method. From March onwards, we do expect to see users switching to other secure forms of authentication.

Beep! The latest malware to fly under the radar

This month, cyber security researchers discovered new, evasive malware heavily designed to drop additional payloads onto a compromised host while evading detection.

A component of Beep is a dropper that reportedly creates a new Windows Registry key, before executing a Base64-encoded PowerShell script. The PowerShell script is responsible for extracting and launching the payload via process hollowing.

Beep is likely to be an upcoming threat to watch out for, therefore cyber security education remains one of the best defences. Organisations are warned to only open trusted attachments, avoiding those that are executable (.exe or .dll) and only interact with websites that are protected.

SMS scam on Coinbase

Several employees at cryptocurrency exchange platform, Coinbase, were targeted in an SMS phishing campaign that resulted in hackers gaining access to names, email addresses and phone numbers of the platform’s employees.

The incident, which took place on the 5th of February, 2023, resulted in one employee falling for the scam, who entered their login credentials in a fake login page, after the scam urged employees to sign in to read an important company message.

After the employee logged in, attackers made repeated attempts to gain remote access to Coinbase. Due to multi-factor authentication in place, these attempts proved to be unsuccessful. Coinbase was alerted within 10 minutes of the attempted attack, leading to the attacker being blocked from gaining system access.

The attack on Coinbase is likely linked to 0ktapus, a phishing campaign targeting major companies including Mailchimp, Twilio, and Cloudflare, among over 100 others companies.

Zero-click malware protection from Samsung

Last week, Samsung announced a new feature called ‘Message Guard’ to safeguard users from zero-click malware and spyware attacks.

Message Guard, which is currently limited to the Samsung Galaxy S23 series, limits exposure to disguised threats by checking the file bit by bit and processing it in a controlled environment. Samsung intends to expand the security feature to other Galaxy smartphones and tablets later this year.

Zero-click attacks are sophisticated, highly-targeted attacks that exploit flaws in software. This means that malicious code can be triggered to execute, without the requirement of user interaction. Zero-click exploits are mostly engineered to exploit vulnerabilities in applications, making them a highly lucrative method of attackers delivering spyware to user devices.

Our Thoughts

In light of the recent SMS scam on Coinbase, all organisations are urged to be on the lookout for malicious and anomalous attempts to log into remote systems. With around half of cyber attacks in the UK involve phishing (a third in the US), TryHackMe has training catered to a plethora of cyber threats and patterns, with over 640 training labs.

Learn how to analyse and defend against phishing emails, and investigate real-world phishing attempts using a variety of techniques with our phishing module.

With malware becoming increasingly difficult to detect, users will need to be better trained and more aware. Our Abusing Windows Internals training covers how internal components are vulnerable, the ways in which they may be exploited, and teaches mitigations and detections for the techniques.

Explore TryHackMe business training to offer customised staff training and reduce the risk of human error to your cyber security.