Cybersecurity Newsletter, February 14 - 28
Qrator Newsletter

Greetings, fellow newsletter subscriber! Once again, we are back with the best stories and articles published on the topic of cybersecurity in two weeks, between 14 and 28 February, the year 2021.

Unintended consequences of submarine cable deployment on Internet routing

"To study this, we looked at the South Atlantic Cable System (SACS), which was launched in mid-September, 2018. It was the first transatlantic cable traversing the southern hemisphere, and provided an ideal opportunity to examine what happened to traffic between different Internet regions pre and post-launch."
And the CAIDA publication itself:

The day the whole world did not walk away

"Yesterday, on February 19 Internet observed yet another demonstration of a handy Noction feature that is probably supposed to get you rich but is more likely to make you infamous."

Google looks at bypass in Chromium's ASLR security defense, throws hands up, won't patch garbage issue 

"In early November, a developer contributing to Google's open-source Chromium project reported a problem with Oilpan, the garbage collector for the browser's Blink rendering engine: it can be used to break a memory defense known as address space layout randomization (ASLR).
About two weeks later, Google software security engineer Chris Palmer marked the bug "WontFix" because Google has resigned itself to the fact that ASLR can't be saved – Spectre and Spectre-like processor-level flaws can defeat it anyway, whether or not Oilpan can be exploited."

Putting DNSSEC signers to the test: Knot vs Bind

"We had our requirements, so we spun-up virtual machines to test Bind and Knot on DNS servers. Both DNS servers were configured in parallel with a production DNSSEC signer. This allowed us to load the same zones as production and apply the same monitoring tool and configuration management. Part of our new requirements was to use configuration management to deploy zone configuration, DNSSEC policy, monitoring, and metrics collection."

Bitcoins, blockchains and botnets

"A recent piece of malware from a known crypto mining botnet campaign has started leveraging Bitcoin blockchain transactions in order to hide its backup C2 IP address. It's a simple, yet effective, way to defeat takedown attempts.
Recent infection attempts against Akamai SIRT's custom honeypots uncovered an interesting means of obfuscating command and control (C2) infrastructure information. The operators of a long-running crypto-mining botnet campaign began creatively disguising their backup C2 IP address on the Bitcoin blockchain. In this post, we examine how this data is used by their campaign to help distribute their malware, ensure persistence, and likely serve as an uncensorable defense against take-down efforts, as well as the concerning implications of these findings."

Powerhouse VPN products can be abused for large-scale DDoS attacks

"This new DDoS vector has been discovered and documented by a security researcher who goes online as Phenomite, who shared his findings with ZDNet last week.
The researcher said the root cause of this new DDoS vector is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.
Phenomite says that attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet."

Stop spoofed traffic at the door: Destination-side SAV

"Researchers from Brigham Young University, led by Casey Deccio, surveyed a large set of known DNS servers worldwide, using various spoofed-source addresses, and found that roughly half of all Autonomous Systems (ASes) fail to filter for spoofed traffic as it enters their network border.
While this might not be a ‘stop-everything-right-away-and-patch’ type vulnerability, this oversight does allow remote attackers to infiltrate the network and impersonate internal resources. This, in turn, facilitates attacks that could otherwise be prevented, such as DNS cache poisoning or the NXNS attack, a powerful new denial of service technique.
Fortunately, the solution to this — unlike some spoofing prevention techniques — directly protects the network employing it."

Cambodia to force all internet traffic through national 'Internet Gateway'

"Cambodia has formally announced a National Internet Gateway that will filter all traffic coming into the country, or traversing networks within its borders.
In a decree posted to Facebook on Wednesday, the nation outlined a system that resembles China’s notorious Great Firewall.
Cambodia's decree says the Gateway will strengthen the efficiency and effectiveness of national debt collection, national security protection and help maintain social order and culture."

The quarterly update about DDoS attacks: Q4 2020

"We saw an increase in technically more complex attacks called carpet bombing in the last three months of 2020. The large attacks on the
infrastructure of ISPs which started in August continued. These attacks were extremely powerful (up to 167 Gbit per second) and lasted longer than four hours. Also typical for the end of 2020 were the attacks after working hours and an average of 4 attacks per day. In the history of NaWas we never recorded more attacks per day than the last few months of 2020."

What chip startups can learn from Google's TPU design team

"The inception of Google’s effort to build its own AI chips is quite well known by now but in the interests of review, we’ll note that as early 2013 the company envisioned machine learning could consume the majority of its compute time. Inference was a particularly expensive proposition, forcing Google to look at its own possible role in creating purpose-built chips for its own massive-scale AI inference operations. The TPU was born with TPUv1 serving inference."

Using eBPF to uncover in-memory loading

"eBPF is really awesome for lots of reasons, as an example I use it in this project to log when malware uses bash pipes (|) to do in-memory loading from the internet."

Hunting for bugs in Telegram's animated stickers remote attack surface

"At the end of October ‘19 I was skimming the Telegram’s android app code, learning about the technologies in use and looking for potentially interesting features. Just a few months earlier, Telegram had introduced the animated stickers; after reading the blogpost I wondered how they worked under-the-hood and if they created a new image format for it, then forgot about it. Back to the skimming, I stumbled upon the rlottie folder and started googling. It turned out to be the Samsung native library for playing Lottie animations, originally created by Airbnb. I don’t know about you but the combination of Telegram, Samsung, native and animations instantly triggered my interest in learning more."


"In the second study of Project Memoria, Forescout Research Labs discloses NUMBER:JACK, a set of 9 new vulnerabilities affecting embedded TCP/IP stacks.
The vulnerabilities are all related to the same problem: weak Initial Sequence Number (ISN) generation, which can be used to hijack or spoof TCP connections. Ultimately, attackers may be able to leverage those
vulnerabilities to close ongoing connections, causing limited denials of service, to inject malicious data on a device or to bypass authentication."

Thanks for sharing the newsletter!
For feedback, please write to us at