Headline
Top resources for Cybersecurity Awareness Month
Plus, many of the world’s largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record.
Thursday, October 12, 2023 14:10
Welcome to this week’s edition of the Threat Source newsletter.
I didn’t feel like I wanted to write anything special or witty this week given the current events in Israel and the Gaza Strip, but I will certainly advocate for any assistance readers would like to provide to the various organizations and helpers who are trying to do some good for Israeli and Palestinian civilians right now.
And since it’s still Cybersecurity Awareness Month, I also wanted to provide some links to various resources, blog posts and podcasts that I’ve found particularly helpful this month and I think you will, too.
- Countering the Rise of Ransomware (Cisco YouTube)
- Talos APJC Threat Update: How attackers are using AI
- The New Normal: How XDR is Tackling Social Engineering in Today’s World (Cisco Secure blog)
- CISA’s Secure Our World initiative
- Allied Against Hate: CISA resources for faith and community leaders
- Fact sheet: Improving Security of Open Source Software in Operational Technology and Industrial Control Systems
**The one big thing **
Many of the world’s largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record. CVE-2023-44487, a vulnerability in the HTTP/2 protocol, was recently used to launch intensive DDoS attacks against several targets. The problem lies in the way that HTTP/2 protocol handles request cancellations or resets. When a client issues a reset for an HTTP/2 request, this consumes resources on the server as it cancels the corresponding stream. However, after issuing a reset, the client can instantly open a new stream.
**Why do I care? **
Google said the attack in August was the heaviest DDoS assault it ever recorded at over 398 million requests per second, which the company said is more than seven times larger than any other its ever recorded. So, the sheer scale is certainly notable. If this type of attack was launched with a much larger botnet, the traffic volume could be orders of magnitude greater and have a much larger potential impact. As such, organizations are urged to patch or mitigate as quickly as possible.
**So now what? **
Users of any products using the vulnerable protocol — individual companies like F5 and Microsoft have released individual advisories about anything that was affected — should make sure patches are implemented immediately. However, this issue is largely about appropriate DDoS mitigation techniques on your environment. A newly released Snort rule, SID 62519, can detect activity associated with this vulnerability.
**Top security headlines of the week **
Attackers have published the personal information of almost one million people who have Ashkenazi Jew heritage after the adversaries breached genetic testing service 23AndMe. The list allegedly includes full names, sex and 23AndMe’s data on where their ancestry stems from. As of Wednesday morning, the company was still investigating the attackers’ claims but assumed it was authentic. Customers can learn more about their family’s heritage by providing identification data, health information, phenotype, photos and more to 23AndMe. A security researcher said the information looked authentic, and that it’s a sign that a data breach can be dangerous, even if attackers don’t end up manually breaking into a deeper layer of the network. (The Record by Recorded Future 23andMe scraping incident leaked data on 1.3 million users of Ashkenazi and Chinese descent)
Microsoft patched more than 100 vulnerabilities in its range of products as part of its monthly security update. This batch included two zero-day vulnerabilities that had already been exploited in the wild and nine critical issues in the Layer 2 tunneling protocol. Meanwhile, Apple also released a security update Tuesday to fix two critical vulnerabilities in its iOS mobile operating system that were also being exploited in the wild. CVE-2023-42724 in iOS and iPadOS, has been exploited by attackers to elevate their access on a local device. Back on the Microsoft side, the company also used Patch Tuesday as an opportunity to fix security holes in their products related to the high-profile HTTP/2 protocol used to launch massive, distributed denial-of-service (DDoS) attacks earlier this year. (Talos, Krebs on Security)
The International Committee of the Red Cross published new guidelines this week, hoping hacktivist groups will follow during wartime to avoid affecting critical infrastructure and everyday civilians. An increasing number of civilian hackers have become involved in international conflicts hoping to make a difference, especially in the Russia-Ukraine war and now again in Israel. The Red Cross’ new guidelines urge these groups and individuals to obey national laws, if appropriate, and follow the same set of rules for kinetic warfare that international humanitarian law (IHL) provides, and which are aimed at safeguarding “civilians, and soldiers who are no longer able to fight, from some of the horrors of war.” Some of the objectives put forth include not targeting civilian objectives, deploying any malware that may target military and civilian targets indiscriminately and adhering to these rules even if the enemy does not. (Washington Post, SecurityWeek).
**Can’t get enough Talos? **
- Talos Takes Ep. #157: Cybersecurity Awareness Month: The best practices for implementing multi-factor authentication
- Qakbot hackers now pushing Cyclops/Ransom Knight ransomware, Cisco says
- Qakbot hackers are still spamming victims despite FBI takedown
- Qakbot Attackers Remain Alive and Quacking, Researchers Find
- Researcher Spotlight: How looking at decades of spam led Jaeson Schultz from Y2K to the metaverse and cryptocurrency
- Vulnerability Roundup: 10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflow
**Upcoming events where you can find Talos **
ATT&CKcon 4.0 (Oct. 24 - 25)
McLean, Virginia
Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.
misecCON (Nov. 17)
Lansing, Michigan
Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines.
**Most prevalent malware files from Talos telemetry over the past week **
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
SHA 256: d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827
MD5: bf357485cf123a72a46cc896a5c4b62d
Typical Filename: bf357485cf123a72a46cc896a5c4b62d.virus
Claimed Product: N/A
Detection Name: W32.Auto:d5219579ee.in03.Talos
SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa
MD5: 9403425a34e0c78a919681a09e5c16da
Typical Filename: vincpsarzh.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440
MD5: ef6ff172bf3e480f1d633a6c53f7a35e
Typical Filename: iizbpyilb.bat
Claimed Product: N/A
Detection Name: Trojan.Agent.DDOH
SHA 256: 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa
MD5: e9a6b1346d1a2447cabb980f3cc5dd27
Typical Filename: профиль 10 класс.exe
Claimed Product: N/A
Detection Name: Application_Blocker
Related news
Red Hat Security Advisory 2024-6536-03 - Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal. Issues addressed include bypass, denial of service, information leakage, and memory leak vulnerabilities.
Red Hat Security Advisory 2024-1454-03 - Red Hat OpenShift Container Platform release 4.13.38 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-0485-03 - Red Hat OpenShift Container Platform release 4.12.48 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a cross site scripting vulnerability.
Red Hat Security Advisory 2023-7626-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 2 is now available. Issues addressed include buffer overflow, denial of service, information leakage, and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-7653-03 - An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2023-7481-01 - Red Hat OpenShift Container Platform release 4.11.54 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-7288-01 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Issues addressed include bypass, code execution, cross site scripting, and denial of service vulnerabilities.
Red Hat Security Advisory 2023-6233-01 - Red Hat OpenShift Container Platform low-latency extras release 4.12, which provides an update for cnf-tests-container, performance-addon-operator-must-gather-rhel8-container, NUMA-aware secondary scheduler and numaresources-operator, is now available. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6200-01 - The multicluster engine for Kubernetes 2.1.9 General Availability release images, which contains security fixes and update container images. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6144-01 - An update for custom-metrics-autoscaler-adapter-container, custom-metrics-autoscaler-admission-webhooks-container, custom-metrics-autoscaler-container, custom-metrics-autoscaler-operator-bundle-container, and custom-metrics-autoscaler-operator-container is now available for the Custom Metric Autoscaler operator for Red Hat OpenShift. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 6438-2 - USN-6438-1 fixed vulnerabilities in .Net. It was discovered that the fix for [CVE-2023-36799] was incomplete. This update fixes the problem. Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service. It was discovered that the .NET Kestrel web server did not properly handle HTTP/2 requests. A remote attacker could possibly use this issue to cause a denial of service.
Red Hat Security Advisory 2023-6080-01 - Red Hat Integration Camel for Spring Boot 4.0.1 release and security update is now available. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5978-01 - JBoss EAP XP 4.0.0.GA security release on the EAP 7.4.13 base is now available. See references for release notes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5964-01 - An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5956-01 - Red Hat build of OptaPlanner 8.38.0 for Quarkus 2.13.8 release and security update is now available. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5935-01 - An update for osp-director-agent-container, osp-director-downloader-container, osp-director-operator-bundle-container, and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5866-01 - An update for grafana is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5865-01 - An update for grafana is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5838-01 - libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 protocol in C. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5810-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Red Hat Security Advisory 2023-5805-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5784-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.5 serves as a replacement for Red Hat JBoss Web Server 5.7.4. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5705-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5679-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.39. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5780-01 - A security update for Camel Extensions for Quarkus 2.13.3 is now available. The purpose of this text-only erratum is to inform you about the security issues fixed. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5770-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5768-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5765-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5714-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5713-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5711-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5709-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 7.0 to SDK 7.0.112 and Runtime 7.0.12. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5522-2 - The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and caused a regression when using asynchronous I/O (the default for NIO and NIO2). DATA frames must be included when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated.
Cisco Talos is actively tracking the novel distributed denial-of-service (DDoS) attacks cloud services provider Cloudflare disclosed earlier this week. The techniques described in Cloudflare’s blog post resulted in a record-breaking DDoS attack and could facilitate much larger attacks in the future. CVE-2023-44487 CVE-2023-44487, a vulnerability in the
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see ...
Debian Linux Security Advisory 5522-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
By Deeba Ahmed Google, Cloudflare, and AWS Disclosed Digital History’s Largest Ever DDoS Attack- Courtesy HTTP/2 Zero-day. This is a post from HackRead.com Read the original post: Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History
Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September. The two
Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.
Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.
swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.
Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487,
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Summary Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan.