top of page
Security Operations Team

Most Active Attackers 3-9-2018 Memcached Vulnerability


Today we are observing a somewhat normal amount of activity on our sensors. We have started including our internal sensors in reporting so there is more data available to customers.

Most active attackers today

Most of what we are seeing is worm activity on port 445 today and some malicious actors scanning for memcached vulnerabilities. We did observe a US based actor scanning for memcached vulnerabilities as described below.

What is memcached vulnerability? - From itopstimes.com's article on the subject.

Corero Network Security has disclosed that the Memcached vulnerability that was responsible for last week’s GitHub DDoS attack is more extensive than originally reported. It is now known that the vulnerability can be used to steal or modify data from the Memcached servers.

Memcached is an open-source system that stores data in memory to speed up access times. The exploit allows attackers to create floods of traffic by generating spoof requests and amplifying DDoS attacks by up to 50,000 times.

The 95,000 servers that answer on TCP or UDP port 11211 can be used by attackers to launch DDoS attacks and expose data as a result of this vulnerability. According to Corero Network Security, any Memcached server that can be used in a DDoS attack can also be used for gathering user data cached from the local network or host.

In addition to stealing user data, attackers can also modify the data and reinsert it back into the cache without the Memcached owner ever realizing, said the company.

“Memcached represents a new chapter in DDoS attack executions,” said Ashley Stephenson, CEO of Corero Network Security. “Previously, the most recent record-breaking attacks were being orchestrated from relatively low bandwidth Internet of Things (IoT) devices. In contrast, these Memcached servers are typically connected to higher bandwidth networks and, as a result of high amplification factors, are delivering data avalanches to crippling effect. Unless operators of Memcached servers take action, these attacks will continue.”

Since the Memcached protocol was designed to be used without the need for authentication, anything a user adds to a vulnerable Memcached server can be stolen by others on the internet without leaving behind an audit trail.

The Memcached developer community has issued multiple warnings about security risks, but users still leave the default configurations for operating systems and cloud services, allowing for access into the Memcached service.

“While this blatant lapse of security is relatively clear to the accomplished security practitioner or hacker, it is not known to the increasingly business-oriented, non-technical user who is clicking a button to set up a new server in the cloud,” said Stephenson. “There are dozens of US-CERT CVE and obscure security warnings related to Memcached but few of them address the clearly obvious issue of leaving the front door open on the internet for anyone to come in and take your data.”

While exposing the newly discovered capability of the Memcached vulnerability, the company has also announced a “kill switch” countermeasure for the attack. The kill switch sends a command back to the attacking server to suppress the DDoS exploitation and invalidates the servers’ cache, said the company.

The countermeasure has been tested on live servers and appears to be 100 percent effective, according to the company. Corero Security Networks has disclosed this measure to national security agencies to take action.

14 views0 comments
bottom of page