Cyber Alert: New Intel Vulnerabilities; Ransom DDoS Attacks; ATM Withdrawal Attacks; and Microsoft AD FS Multi-factor Bypass Vulnerability

August 16, 2018

This alert contains information about L1TF Intel vulnerabilities, a recurrence of ransom-driven distributed denial of service (RDDoS) attacks, a Microsoft AD FS multi-factor bypass vulnerability, and FBI warnings of a coordinated attack seeking massive ATM withdrawals.

L1TF Intel Vulnerabilities

On August 14, Intel disclosed a newly discovered series of processor vulnerabilities known as Level 1 Terminal Fault (L1TF). The vulnerabilities are also known as Foreshadow, based on a speculative execution technique used to potentially exploit them.

The vulnerabilities allow bad actors to steal information stored on level 1 data cache of certain popular Intel® Core i3, i5, and i7 desktop/laptop processors and Xeon server processors. The vulnerabilities target the Intel Software Guard Extension (SGX) feature, which was not exploited in previous Meltdown and Spectre attacks. In addition to potentially allowing software on an individual machine to access data it should not be authorized to, an exploit on a virtualized host could allow an attacker to read data from other tenants on the machine.

No attacks related to L1TF have been reported thus far. Intel has issued microcode updates, operating system updates, and hypervisor software updates to mitigate the vulnerabilities. In addition, Intel has expanded its bug bounty program in hopes of discovering and mitigating potential future vulnerabilities.

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures:

  • Apply operating system security updates and install future updates as soon as they are released.
  • If using virtual machines, verify that hypervisor software updates have been installed.

Return of RDDoS Attacks

ACA Aponix has observed a recent uptick in RDDoS attacks on financial services firms in which attackers threaten distributed denial of service (DDoS) attacks that could bring down a firm’s data services if a ransom is not paid in bitcoin. A DDoS attack is most commonly implemented by sending gigabytes of data requests to a target’s DNS servers or webservers, flooding it with more traffic than can be handled by the servers, resulting in service failure.

Attackers will often email staff at their target with a date and required ransom amount, and will cite other successful DDoS attacks. DDoS attacks have gained in prevalence as the number of insecure Internet of Things (IoT) devices has increased significantly and can be used in aggregate to target firms. For example, in 2016, attackers unleashed an unprecedented DDoS attack against a security researcher’s blog, KrebsOnSecurity, in which over 665 Gigabits per second (Gbps) were directed at his website using IoT devices.

Financial loss from RDDoS attacks can be substantial, with average costs approaching $2.5 Million for affected companies.

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures:

  • Utilize a DDoS-resilient DNS provider.
  • Utilize a DDoS-resilient web hosting provider.
  • Ideally, span services across multiple DDoS-resilient providers for both DNS and web-hosting.
  • Work with office/data center ISPs to enable DDoS protection features.

ATM Withdrawal Attacks

The FBI has warned that attackers may be working on a coordinated attack against ATM networks and banks, in which attackers would temporarily breach a bank’s authorization or access control systems, or breach a payment card processor or network, and then withdraw a significant amount of cash in a geographically distributed manner from global ATMs. The attackers may also seek to override cash withdrawal limits to bypass ATM controls.

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures:

  • Deploy ethical hackers to test systems and defenses and to validate monitoring and alerting.
  • Banks and payment card processors and networks should be extra-vigilant over the coming days, and involve their cybersecurity consultants, IT team, security monitoring (SOC), and legal teams in preparation for an attack.
  • Review your Incident Response Plan and prepare it for action.
  • Increase configurable tolerance levels for alerting in security information and event monitoring (SIEM) software, intrusion detection systems (IDS), and other equipment.

Microsoft AD FS Multi-factor Bypass

Microsoft's Active Directory Federation Services (AD FS) reported a vulnerability in which an attacker may be able to bypass multi-factor authentication for any other user within AD FS if they have access to a single user account. This attack would allow a rogue internal user or an outside attacker who has breached a single user account to gain significant additional access on the internal network. Microsoft has released a set of patches for this vulnerability.

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures:

  • Apply Microsoft patches in a timely fashion.
  • Feed Active Directory and AD FS logs into an SIEM that may be able to identify abnormal login activity.

How ACA Aponix Can Help

ACA Aponix offers the following solutions that can help protect your firm from vulnerabilities, cyber-attack, and related cybersecurity risk, including:

For More Information

If you have any questions, please contact your ACA Aponix consultant or email us at