Saturday, July 24, 2021

Plex Media servers are being actively abused for DDoS attacks

Must Read

Google patches Chrome zero-day vulnerability exploited in the wild

Google has released today Stable version 88.0.4324.150 of the Chrome browser for Windows, Mac, and Linux. Today's release contains...

Authorities likely to tighten cybersecurity Standards after BigBasket data breach

NEW DELHI: Faced with the latest spate of cyber breaches ranging from this on Prime Minister Narendra Modi's site...

Elasticsearch Server Leaks Massive Instagram Click Farm

Security researchers have discovered a gigantic Instagram click farm in central Asia, managing thousands of bogus profiles. A group in...

DDoS-for-hire services are actively abusing plex Media Server systems as a UDP reflection/amplification vector in Distributed Denial of Service (DDoS) attacks.

Cyber-security firm Netscout warns of new DDoS attack vectors.

The company’s alert comes to warn owners of devices that ship with Plex Media Server, a web application for Windows, Mac, and Linux that’s usually used for video or audio streaming and multimedia asset management.

Plex Media Server provides users with a streaming system compatible with the Windows, macOS, Linux, and FreeBSD platforms and network-attached storage (NAS) devices, Docker containers, and more.

The app can be installed on regular web servers or usually ships with network-attached storage (NAS) systems, digital media players, or other types of multimedia-streaming IoT devices.

PLEX MEDIA SERVERS PUNCH A HOLE IN ROUTER NATS

Netscout says that amplified PMSSDP DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers’ targets.

The problem comes when a Plex Media Server discovers a local router that has SSDP support enabled. When this happens, the Plex Media Server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414.

“The total number of attacks from Jan 1, 2020, to present day, clocked in at approximately 5,700 (compared to the more than 11 million attacks in total we saw during the same time frame),”

According to Netscout, the amplification factor is around 4.68, with a Plex Media server amplifying incoming PMSSDP packets from 52 bytes to around 281 bytes before sending the packet to the victim.

PMSSDP DDoS mitigation

Broadband Internet access operators with PMSSDP reflectors/amplifiers exposed on their networks by customers can experience “partial or full interruption of end-customer broadband Internet access, as well as additional service disruption due to access, distribution, aggregation, core, peering, or transit link capacity consumption.”

While filtering all traffic on UDP/32414 can mitigate such attacks, this could also cause legitimate traffic and connections to get blocked.

To mitigate such attacks, organizations can quarantine end-customer nodes exposed to attacks and filter UDP/32414 traffic on abusable nodes.

“Network operators should perform reconnaissance to identify abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers,” Netscout added.

“It is strongly recommended that SSDP be disabled by default on operator-supplied broadband Internet access CPE, and that guidance on disabling SSDP on common CPE makes/models be supplied to end-customers.”

DHS-CISA guides how to avoid becoming a DDoS victim, how to detect DDoS attacks, and what measures to take while being DDoSed.

Earlier this month, Netscout reported that Windows Remote Desktop Protocol (RDP) servers are now also being abused by DDoS-for-hire services as a reflection/amplification DDoS vector.

In 2019, Netscout also detected DDoS attacks abusing the macOS Apple Remote Management Service (ARMS) as an amplification vector.

ARMS-abusing DDoS attacks observed at the time peaked at 70 Gbps, with an amplification ratio of 35.5:1.

27K+ PLEX MEDIA SERVERS ARE EXPOSED ON THE INTERNET

The security firm said it scanned the internet and found 27,000 Plex Media servers left exposed online to be abused for DDoS attacks.

Furthermore, some servers have already been abused. Netscout said that not only did it saw DDoS attacks using Plex Media servers, but that this vector is now becoming common.

“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population,” the company said.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This