Early March, researchers discovered deadly DROWN vulnerability in OpenSSL that affects more than 11 million modern websites and e-mail services protected by SSLv2 protocol. Bkav took a deep look into Viet Nam’s situation, and learned that hundreds of important websites were affected, putting users’ data as passwords, private information, credit card details at risk of being stolen.
Among affected systems, there are 58% in the financial sector, 21% in the petroleum sector, 11% in industrial and consumer goods sectors, 5% in the technology and telecommunication sectors, and 5% in the transportation and tourism sector.
Bkav urgently informed affected organizations and supported them to address the issue, securing customers’ information.
What is DROWN attack?
DROWN stands for "Decrypting RSA with Obsolete and Weakened eNcryption."
DROWN uses weaknesses in the SSLv2 protocol, affecting encrypted connections such as HTTPS and other services that rely on SSL and TLS HTTPS. These protocols allow everyone on the Internet to browse the web, use email, shop online, and remotely access internal applications of organizations.
DROWN attack could allow an attacker to access user’s sensitive data as passwords, private information, credit card details, access private emails or illegally access the internal network of organizations.
According to Bkav, DROWN is more difficult to exploit than Heartbleed vulnerability because hackers must perform a Man-in-the-Middle attack. However, the risk of exploiting this vulnerability to steal users’ credentials is feasible. Administrators should promptly disable SSLv2 protocol to secure their systems and users.
System administrators can use Bkav’s tool dubbed DROWN Checker to check if their systems are vulnerable. The tool is available at http://tools.whitehat.vn. Click on the link and put your server’s domain to perform the check.
How to address DROWN attack Step 1: Check if your website is vulnerable to DROWN attack by using the tools.whitehat.vn Step 2: Disable the vulnerability as the detailed instructions for each operating system For Windows server To turn off SSLv2 on Windows, use the tool provided by Microsoft (http://go.microsoft.com/?linkid=9742318).
* Note: In case it is unable to find SSL 2.0 in the protocol, create this folder and follow the instruction as above. For Linux server
wget http://www.openssl.org/source/openssl-1.0.1s.tar.gz tar –xvzf http://www.openssl.org/source/openssl-1.0.1s.tar.gz cd openssl-1.0.1s ./config –prefix=/usr/ make sudo make install
wget http://www.openssl.org/source/openssl-1.0.2g.tar.gz tar –xvzf http://www.openssl.org/source/openssl-1.0.2g.tar.gz cd openssl-1.0.2g ./config –prefix=/usr/ make sudo make install |
Bkav
- Viet Nam cyber security overview in 2017 and predictions for 2018
- New variant of Mirai malware targeting IoT devices in Vietnam
- More than 5,000 Linux system in Vietnam affected by serious flaw Dirty COW
- Malware attacking Vietnam Airlines appears in many other agencies
- Warning on malware hijacking smartphones in fake Pokémon GO
- Luật ATTT mạng số 86/2015/QH13 ra đời năm 2015
- Nghị định 85/2016/NĐ-CP
- Chỉ thị 14/CT-TTg năm 2018
- CT 14/2019, BTTT-CATTT
- Công văn số 2973/BTTTT-CATTT năm 2019 Hướng dẫn triển khai hoạt động giám sát an toàn thông tin trong cơ quan, tổ chức nhà nước hướng dẫn CQNN
- Công văn số 235/CATTT-ATHTTT năm 2020 hướng dẫn mô hình bảo đảm an toàn thông tin cấp Bộ, Tỉnh.