Red Hat Security Advisory 2023-6233-01 - Red Hat OpenShift Container Platform low-latency extras release 4.12, which provides an update for cnf-tests-container, performance-addon-operator-must-gather-rhel8-container, NUMA-aware secondary scheduler and numaresources-operator, is now available. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6233.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift Enterprise security updateAdvisory ID:        RHSA-2023:6233-01Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6233Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-39325====================================================================Summary: Red Hat OpenShift Container Platform low-latency extras release 4.12, which provides an update for cnf-tests-container, performance-addon-operator-must-gather-rhel8-container, NUMA-aware secondary scheduler and numaresources-operator, is now available.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.12. See the following advisory for the container images for this release:https://access.redhat.com/errata/RHSA-2023:6126Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.All OpenShift Container Platform users are advised to upgrade to these updated packages and images.Solution:https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.htmlCVEs:CVE-2023-39325References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6233-01

Red Hat Security Advisory 2023-6217-01 - Red Hat OpenShift Container Platform low-latency extras release 4.14, which provides an update for cnf-tests-container, dpdk-base-container, NUMA-aware secondary scheduler and numaresources-operator is now available. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6217.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift Enterprise security updateAdvisory ID:        RHSA-2023:6217-01Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6217Issue date:         2023-10-31Revision:           01CVE Names:          CVE-2023-39325====================================================================Summary: Red Hat OpenShift Container Platform low-latency extras release 4.14, which provides an update for cnf-tests-container, dpdk-base-container, NUMA-aware secondary scheduler and numaresources-operator is now available.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.14. See the following advisory for the container images for this release:https://access.redhat.com/errata/RHSA-2023:5006Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39325References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6217-01

Red Hat Security Advisory 2023-6154-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.2.0. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6154.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Secondary Scheduler Operator for Red Hat OpenShift 1.2.0  
Advisory ID:        RHSA-2023:6154-01  
Product:            Openshift Secondary Scheduler Operator  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6154  
Issue date:         2023-11-01  
Revision:           01  
CVE Names:          CVE-2023-39318  
====================================================================

Summary: 

Secondary Scheduler Operator for Red Hat OpenShift 1.2.0

Description:

The Secondary Scheduler Operator for Red Hat OpenShift is an optional  
operator that makes it possible to deploy a secondary scheduler by  
providing a scheduler image. You can run a scheduler with custom  
plugins without applying additional manifests, such as cluster roles  
and deployments.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)

* golang: html/template:  improper handling of HTML-like comments within script contexts (CVE-2023-39318)

 * golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)

* golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)

 * golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39318

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6154-01

By Deeba Ahmed
Earlier, Boeing acknowledged a cyberattack amidst claims by the Lockbit ransomware gang of breaching its security and stealing data.
This is a post from HackRead.com Read the original post: Lockbit Ransomware Leaks Boeing Data Trove

The notorious Lockbit ransomware group has leaked a trove of data belonging to the leading global aerospace company Boeing, apparently following failed ransom negotiations.

The notorious **LockBit ransomware** group has struck again, and this time, its victim is aerospace giant Boeing. The ransomware gang infiltrated Boeing’s systems and stole a significant amount of sensitive data. 

****Timeline of the attack and data leak****

On October 27, 2023, the hackers mentioned Boeing on their data leak website, and gave the firm a 2nd November deadline, revealing to have exfiltrated a tremendous amount of sensitive archive and backup data. The company was given 48 hours to contact LockBit.

On November 2nd, 2023, as **reported by Hackread.com**, Boeing acknowledged that it suffered a cyberattack but did not confirm whether it was a ransomware attack and if Lockbit’s claims were authentic.

Later, the group removed Boeing from its site, claiming that negotiations had started. Then, the company reappeared on November 7 with another message from LockBit stating that the company ignored warnings. 

The hackers then published 4GB of data as a sample, which comprised backup files of different systems featuring an October 22 timestamp. Boeing’s continued silence on the incident prompted LockBit to release all the stolen data on their website on November 10.

This included Boeing’s IT management software’s configuration backups, and auditing/monitoring tools logs. It also included Citrix appliances’ backups, sparking speculation that the hackers might have exploited the **Citrix Bleed vulnerability (CVE-2023-4966)**.

According to MalwareHunterTeam’s **assessment**, most of the exposed files are associated with a Boeing-owned aviation and aerospace parts manufacturer called Aviall.

Boeing, one of the world’s leading aerospace firms that operate defence systems and commercial aeroplanes, has confirmed the hacking, stating that it is investigating the incident to verify LockBit’s claims and “determine the scope of any potential data breach.”

The company intends to take “appropriate steps” to protect its customers and information. Boeing has also stated that the incident doesn’t threaten aircraft or flight safety. 

Boeing’s services **website** is down currently. This is a developing story, and Hackread will update you about the incident when there’s some clarity about the root cause of the hacking.

The LockBit ransomware gang has been active since 2020 and claimed several high-profile victims, including DXC Technology, Accenture, and the German government, via double extortion. As per CISA’s advisory, since 2020 LockBit targeted 1,700 US firms and made around **$91 million** in ransom payments.

****What Experts Have to Say!****

Comparitech’s head of data research, **Rebecca Moody**, shared an exclusive comment on this incident with _Hackread.com_, stating that LockBit has emerged as one of the most prevalent ransomware-as-a-service operators this year.

“LockBit has been particularly prevalent this year when it comes to the confirmed ransomware attacks we’ve tracked worldwide. So far this year, we’ve recorded 122 confirmed LockBit attacks,” Rebecca said.

Rebecca further revealed that “In 2022, we recorded 97 LockBit attacks throughout the entire year. The number of confirmed records impacted by these breaches has skyrocketed, too. In 2022, LockBit is confirmed to have stolen 957,438 records across 26 attacks (creating an average of 36,825 records per attack).”

“This year, just over 9.3 million records are confirmed to have been impacted in 20 attacks (465,194). Adding to this are the huge ransom demands being made by the cybercriminals. So far, LockBit has demanded a whopping $196.6 million in ransoms across 15 attacks alone (an average of $13.1 million per case). In 2022, $137.4 million was demanded across 18 cases (an average of $7.63 per case),” she explained.

Nevertheless, while not new to cyberattacks, when it comes to cybersecurity, it is a challenging day for Boeing. It will be crucial to see how the company responds to the situation.

****_RELATED ARTICLES_****

1.  Bangkok Airways hit by Lockbit ransomware; leaks 103GB of data
2.  Accenture claims to fight off LockBit ransomware gang with backup
3.  LockBit ransomware gang blames victim for DDoS attack on its website
4.  LockBit 3.0 Posts Dubious Claims of Breaching Darktrace Cybersecurity Firm
5.  Cyber Security Giant Mandiant Denies Hacking Claims By LockBit Ransomware

Lockbit Ransomware Leaks Boeing Data Trove

By Waqas
While OracleIV is not a supply chain attack, it highlights the ongoing threat of misconfigured Docker Engine API deployments. 
This is a post from HackRead.com Read the original post: OracleIV DDoS Botnet Malware Targets Docker Engine API Instances

The OracleIV botnet malware employs various tactics, with a primary focus on executing DDoS attacks through UDP and SSL-based floods.

Cybersecurity researchers at Cado Security Labs have exposed a novel (Distributed Denial of Service) DDoS botnet malware dubbed OracleIV targeting publicly exposed Docker Engine API instances.

The findings were part of an investigation into a malicious campaign exploiting misconfigurations in Docker containers to deliver Python malware, compiled as an ELF executable.

Lately, Docker Engine APIs have been frequent targets of cybercriminals since the method has gained popularity due to the increasing adoption of microservice-driven architectures. Attackers exploit the unintentional exposure of the Docker Engine API, often scanning for vulnerable instances to deliver payloads with nefarious objectives.

In the case of the new OracleIV DDoS botnet malware, the attackers initiate access with an HTTP POST request to Docker’s API, specifically the /images/create endpoint. This triggers a docker pull command, fetching a specified image from Dockerhub. Once the malicious image is retrieved, a container is launched to carry out the attacker’s objectives.

Cado Security researchers uncovered a live Dockerhub page for an image named “oracleiv_latest” uploaded by the user “robbertignacio328832.” The image, seemingly harmless as a “Mysql image for docker,” included a malicious payload named “oracle.sh,” an ELF executable acting as a DDoS bot agent. Further analysis revealed additional commands to retrieve XMRig and a miner configuration file.

Static analysis of the executable exposed a 64-bit ELF compiled with Cython, confirming the OracleIV malware’s Python code origin. The malware code, succinct yet potent, contains various functions dedicated to different DDoS methods.

“This image was still live at the time of writing and had over 3,000 pulls,” researchers explained in a blog post. Additionally, it seems to be undergoing frequent updates, with the latest modifications pushed just three days prior to the publication of Cado’s blog.

Dockerhub page for oracleiv\_latest (Cado Security)

The bot connects to a Command and Control server (C2), performing basic authentication with a hardcoded password. Cado Security Labs monitored the botnet’s activity, witnessing DDoS attacks on various targets, primarily using UDP and SSL-based floods.

The C2 commands for initiating DDoS attacks follow a specific format, specifying attack type, target IP/domain, attack duration, rate, and target port. The botnet’s capabilities include UDP floods, SSL-based attacks, SYN floods, slowloris-style attacks, and protocol-specific floods targeting the FiveM server and Valve source engine.

While OracleIV is not a **supply chain attack**, it highlights the ongoing threat of misconfigured Docker Engine API deployments. The portability of containerization enables attackers to execute malicious payloads consistently across Docker hosts.

Although Cado Security has reported the malicious user to Docker, users are urged to conduct periodic assessments of pulled images from Dockerhub, emphasizing the need for vigilance against malicious code.

In conclusion, the OracleIV campaign highlights the importance of securing internet-facing services and implementing strong network defences. Users of Docker and similar services are encouraged to regularly review their exposure and take necessary precautions against potential cybersecurity threats.

****_RELATED ARTICLES_****

1.  **SSH Remains Most Targeted Service in Cado’s Cloud Threat Report**
2.  **Change your password: Docker suffers breach; 190k users affected**
3.  **Hackers Exploit Adobe ColdFusion Vulnerabilities to Deploy Malware**
4.  **Cryptomining and Malware Flourish on Misconfigured Kubernetes Clusters**
5.  **ShellTorch Attack Exposes Millions of PyTorch Systems to RCE Vulnerabilities**

OracleIV DDoS Botnet Malware Targets Docker Engine API Instances

By Owais Sultan
In the ever-evolving landscape of financial markets, the US Tech 100 Index, represented by the Nasdaq 100, emerges…
This is a post from HackRead.com Read the original post: Navigating Interconnections: Correlations Between the US Tech 100 Index and Major Indices

In the ever-evolving landscape of financial markets, the US Tech 100 Index, represented by the **Nasdaq 100**, emerges as a guiding star for investors seeking exposure to the dynamic technology sector. Yet, to truly harness the potential of this index, one must unravel the intricate web of correlations it shares with other major indices, particularly the S&P 500 and the Dow Jones Industrial Average (DJIA). 

****The Dance of Titans: Nasdaq 100 and S&P 500****

At the heart of this financial ballet lies the dance between the Nasdaq 100 and the S&P 500, two giants that sway to market trends. The correlation between these indices is palpable, a result of shared constituents that bridge the worlds of technology and diverse sectors. Companies like Apple, Microsoft, and Amazon, pivotal players in the Nasdaq 100, also wield influence in the S&P 500, creating a synchronized ebb and flow in their movements.

Historical market data unveils a narrative of tandem strides during pivotal moments. Whether it be the exuberance of bull markets or the caution of bear markets, the **US Tech 100** and S&P 500 often move harmoniously, echoing sentiments reverberating across the broader market landscape. This interconnectedness underscores the need for strategic portfolio construction, as high correlations between these indices demand a nuanced approach to diversification.

****Harmony and Discord: Nasdaq 100 and DJIA****

Yet, as we get deeper into the financial symphony, we encounter a more complex melody in the relationship between the Nasdaq 100 and the DJIA. With its 30 blue-chip constituents, the Dow brings a different timbre to the ensemble. Its diversified composition, spanning various sectors, introduces nuances to the correlation game.

During economic expansions, the Nasdaq 100 may take center stage, propelled by the **surging performance of technology stocks**. However, with its broader representation, the DJIA might follow a different rhythm, reflecting a more measured response to economic cycles. The result is a correlation that dances to a subtler tune, highlighting the interplay of diverse market forces.

****Strategies in the Symphony: Navigating Correlations****

In this financial symphony, traders and investors become conductors, orchestrating strategies that leverage the interconnections between indices. Portfolio diversification becomes an art, with an awareness that high correlations between the Nasdaq 100 and S&P 500 necessitate a thoughtful selection of assets to achieve true diversification.

Strategic diversification emerges as a key motif. By introducing assets with lower correlations, such as commodities or international equities, investors can fine-tune their portfolios to harmonize with the dynamic rhythms of the market. It’s a strategic dance, adapting to the ever-changing correlations that define the contemporary financial landscape.

Yet, in this intricate ballet, the one constant is change. Economic variables, global events, and the individual movements of stocks all play their part in reshaping correlations. Traders and investors must remain vigilant, adapting their strategies to the evolving dynamics of the market.

1.  The 10 Best Cybersecurity Companies in the UK
2.  Dow Jones’ screening watchlist data exposed online
3.  10 Top DDoS Attack Protection and Mitigation Companies in 2023
4.  Can ordinary companies keep up with data compliance regulations?
5.  3 of 5 Fortune 500 companies vulnerable due to ManageEngine flaws

Navigating Interconnections: Correlations Between the US Tech 100 Index and Major Indices

Plus: A DDoS attack shuts down ChatGPT, Lockbit shuts down a bank, and a communications breakdown between politicians and Big Tech.

Drones, hidden cameras, thermal vision scopes—these are just a few examples of the high-tech equipment recommended by the animal liberation group Direct Action Everywhere, according to a manual released by the organization this week. The document, which was reviewed by WIRED, is a rare glimpse into how the organization is using tech to target factory farms in often brazen operations that have rescued pigs, goats, ducks, and chickens.

Extremist groups are experimenting with generative AI to flood social media with propaganda and misinformation, researchers at Tech Against Terrorism have told WIRED. A new report from the group details how, in recent months, terrorists and other extremist organizations have been using artificial intelligence to manipulate imagery and thwart content moderation. As platforms have struggled to keep up with this flood of extremist content, a new tool called Altitude, built in collaboration between Tech Against Terrorism and Google, is seeking to address the problem. The tool centralizes the collection of verified terrorist content, allowing companies to easily vet posts shared to their platforms.

Israel is exacerbating the humanitarian catastrophe in Gaza by likely imposing devastating internet blackouts in the region. Last week, Israel reportedly imposed a full internet shutdown in the area as its troops moved into the Gaza Strip. After internet access was restored, the area suffered two additional connectivity blackouts. The most recent lasted for about 15 hours on Sunday as Israel was carrying out an intense operation to cut off Gaza City in the north from southern Gaza.

In other infrastructure news, a report from the ​​cybersecurity firm Mandiant reveals that last year, the Russian military intelligence agency known as Sandworm carried out a power grid attack targeting a Ukrainian electric utility causing a blackout for Ukrainian civilians. According to the report, the cyberattack coincided with the start of a series of missile strikes targeting Ukrainian critical infrastructure across the country.

The third GOP presidential primary debate was livestreamed on Rumble, a YouTube alternative home to what the Southern Poverty Law Center says is one of America’s most notorious white nationalists, Nick Fuentes. Since the outbreak of the Israel-Hamas conflict last month, Fuentes has used his Rumble channel to push antisemitic hate speech and Holocaust denial conspiracies, racking up hundreds of thousands of views. Fuentes’ YouTube account was terminated in 2020 after Google demonetized it.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there

On Wednesday, you and everyone you know had trouble getting ChatGPT to ghostwrite their emails as developer OpenAI was hit by what it thought was a distributed denial-of-service attack. For nearly two hours, users who tried to access the chatbot were greeted with a message telling them “ChatGPT is at capacity right now.”

In a tweet, OpenAI CEO Sam Altman initially blamed its outage on a surge in interest in the platform's new features. By Wednesday night the company announced that the periodic outages were due to an “abnormal traffic pattern reflective of a DDoS attack.”

While it’s unclear who is behind the attack, a group known as Anonymous Sudan claimed responsibility on Wednesday, posting on Telegram that it had targeted OpenAI for "general biases towards Israel and against Palestine." OpenAI has since resolved the issue.

The US arm of the Industrial and Commercial Bank of China was hit by a ransomware attack that disrupted trades in the US Treasury market on Thursday. The bank appears to be the latest victim of the prolific ransomware gang known as Lockbit. According to the US Cybersecurity and Infrastructure Security Agency, Lockbit has hit 1,700 US organizations since 2020 and extorted more than $100 million in ransom demands. Last month it threatened Boeing with a leak of sensitive data.

"ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication," China's foreign ministry spokesperson Wang Wenbin said at a press conference.

Signal is beta testing usernames that will allow people to communicate using the encrypted service without exchanging phone numbers, further enhancing the app's privacy applications. The feature will go live in early 2024.

Support for usernames is a major step for the messaging service as Signal has apparently been working on the feature for years. Though accounts will still need to be associated with a phone number at setup, the introduction of usernames will allow users to connect without having to share it.

Cooperation between government, researchers, and tech companies aimed at countering disinformation online is evaporating thanks to a sustained campaign by US Republicans in the press, courts, and on Capitol Hill. Tech employees tell NBC the FBI has halted communications with social media firms about foreign influence campaigns, a move the FBI director attributed to a September ruling in the country's most conservative appellate court forbidding the government from "significantly" encouraging social media companies to remove misinformation.

“We’re having some interaction with social media companies,” FBI director Christopher Wray said in testimony last week to the Senate Homeland Security Committee. “But all of those interactions have changed fundamentally in the wake of the court rulings.”

According to NBC, all the FBI’s interactions with tech platforms now have to be supervised by Justice Department lawyers.

Signal Is Finally Testing Usernames

By Deeba Ahmed
Reportedly, it was a ransomware attack orchestrated by the notorious LockBit gang.
This is a post from HackRead.com Read the original post: World’s Largest Bank ICBC Discloses Crippling Ransomware Attack

The ransomware attack caused the US arm of the Industrial and Commercial Bank of China (ICBC) to resort to unconventional USB stick transactions.

China’s largest bank, the Industrial and Commercial Bank of China (ICBC), has reportedly become a victim of a ransomware attack. The ICBC is the world’s largest bank in terms of assets. According to Bloomberg, the Russia-linked LockBit ransomware gang is responsible for the attack.

This gang offers ransomware-as-a-service and has been involved in many incidents targeting high-profile organizations, including the IT giant **Accenture**, **Boeing**, **Bangkok Airways**, the UK’s **Royal Mail**, German firm Continental, etc.

Ironically, the cyberattack on ICBC occurred just a week after the US announced an **alliance of 40 countries** to combat ransomware threats, emphasizing a stance against paying ransom to threat actors.

It is worth noting that the US trading arm of the ICBC has been targeted in the attack, forcing it to conduct trades within Manhattan through messengers carrying USB flash drives. The incident **recalls the events of 2018** when employees at two municipalities in Alaska were forced to resort to using typewriters following a massive ransomware attack.

A message was posted on the ICBC Financial Services website, revealing that its systems were disrupted on 8 November 2023. The bank intends to conduct a thorough investigation to determine the root cause of the security incident. Relevant authorities have been informed as well.

ICBC’s statement

After the attack, the bank could not clear pending US Treasury trades because the concerned entities got disconnected from the impacted systems, forcing the bank to send them settlement details via USB sticks. The company quickly isolated the systems from ICBS’s head office. However, the bank’s overseas units weren’t impacted.

It is suspected that the attackers may have exploited the **Citrix Bleed vulnerabilit**y (CVE-2023-4966). Security researcher Kevin Beaumont **states** that the ICBC may not have patched the flaw in its Citrix NetScaler Gateway appliance.

A patch for the flaw was released by Citrix **last month**. It is a serious vulnerability, given that hackers/ransomware gangs can easily exploit it to bypass authentication and break into corporate systems. This vulnerability has been exploited several times recently in attacks against unpatched government and corporate networks.

According to Bloomberg’s **report**, the incident has disrupted the US Treasury market. A statement from the Securities Industry and Financial Markets Association on Thursday revealed that the bank was targeted by ransomware software, preventing it from settling treasury trades on behalf of other market participants, which can drastically impact US Treasuries’ liquidity.

Regarding this incident, KnowBe4’s Data-Driven Defense Evangelist, **Roger Grimes**, shared with Hackread.com that such incidents can financially benefit the perpetrators.

“Incidents like this, where there’s “real” money involved, often don’t work out long-term for the ransomware gang involved. The authorities not only get involved but there’s big pressure for people to be arrested and the gang shut down.”

“I’m surprised the ransomware gang went ahead with the exploitation. Perhaps they didn’t realize what they had and what they would be interrupting. But the Chinese certainly have their own great hackers they can use as an offensive resource, and the US authorities are pretty good at identifying culprits and dishing out pain when the money involved is enough. This is one of those cases,” Grimes noted.

The incident highlights the growing risk of cyberattacks on financial institutions, and the importance of having robust cybersecurity measures in place.

****_RELATED ARTICLES_****

1.  **Hive Ransomware Resurfaces as Hunters International**
2.  **US, India and China Most Targeted in DDoS Attacks, StormWall**
3.  **Schools Are the Most Targeted Industry by Ransomware Gangs**
4.  **FBI and CISA Issue Joint Advisory on Snatch Ransomware Threat**
5.  **Lyca Mobile Suffers Cyber Attack, Investigating Ransomware Possibility**

World’s Largest Bank ICBC Discloses Crippling Ransomware Attack

It can be easy to get caught up in the “big” questions in cybersecurity, like how to stop ransomware globally or keep hospitals up and running when they’re targeted by data theft extortion.

Thursday, November 9, 2023 14:11

I found the juxtaposition of stories on the Talos blog over the past week-plus kind of funny. 

On one hand, we had a massive story about Arid Viper, a Middle Eastern threat actor spreading spyware, one of the most dangerous types of malware out there right now, operating out of Gaza no less. 

Then, we had “Roblox,” a children’s video game (which I’ve written about multiple times and I maintain was the OG metaverse).  

The scale of these attacks is obviously vastly different. Spyware is being used across the globe to monitor some of the most vulnerable activists, journalists and government officials to track their physical movement.  

Meanwhile, “Roblox” players are losing money in a game where the characters look like vague LEGO minifigure knockoffs.  

And the blog homepage is just a perfect encapsulation of how cybersecurity means more than just blocking malware. It can mean teaching your children how to stay safe when they go online, how to properly lock down your login credentials and just being smart at spotting scams. 

But it can also have global implications in areas where there is a global military conflict, just like we’ve written about countless times in Ukraine. 

I would never call one security researcher’s work more “important” than another's — everyone in the security community works extremely hard to keep the internet safe, no matter what company you work for or what your area of expertise is. Tiago from our Outreach team who wrote about the “Roblox” scams has certainly done way more malware research beyond this. But it’s clear that the real-world implications of both these threats are very different. 

For me, the takeaway is just to leave room for all of this. It can be easy to get caught up in the “big” questions in cybersecurity, like how to stop ransomware globally or keep hospitals up and running when they’re targeted by data theft extortion. But that doesn’t mean we can ignore the “small stuff” either because those problems are more likely to end up on our virtual front door. 

If I may continue to plug Talos’ work, we have a new video series launching today, too, under our Threat Spotlight banner. Each month, Decipher reporters and Talos researchers will team up to recap the top stories, malware and threats in the headlines. We’re excited about this new partnership with Decipher.

 **The one big thing **

Attackers are using a new tactic to get spam through their email inbox filters via Google Forms. Google Forms has a “quiz” option for their fields, and adversaries have found a workaround to send the “answers” to a quiz to targets, which are actually spam messages that appear to the user like they’re legitimate messages coming from Google. In one case, we found a deep cryptocurrency-related scam using this method, and other actors are just hoping to get the user to click on a malicious link that could lead to other scams or malware.  

**Why do I care? **

The average user is going to see a message from Google Forms, especially after they just filled out a Form, and assume it’s legitimate, so attackers are more likely to be successful using this method of delivering their spam compared to traditional email methods. Google Forms abuse has been present in spam attacks for several years, though our investigation showed that this particular feature of Google Forms quizzes was not very heavily abused to send spam until relatively recently. 

**So now what? **

As with all types of spam, follow the basic rule, “If it seems too good to be true, it probably is.” While there is no concrete method of blocking these comments and quiz results from coming through, if you’re using Google Forms, be weary of illegitimate messages making their way through. Look for things like misspellings, typos, or URLs that you don’t recognize.  

**Top security headlines of the week **

**A coalition of more than 40 international governments, including the European Union and Interpol, have agreed to not pay ransomware attackers’ extortion payments.** The commitment came from last week's U.S.-led Counter Ransomware Initiative meeting and applies to those countries’ government agencies. Private companies who operate in these nations are most often the targets of ransomware, however, but leaders hope the pledge will influence them to take the same stance. Whether to pay the ransom is often a tough decision for the private sector, which needs to balance the cost of keeping their network operations offline during recovery versus having their files returned as quickly as possible. However, there is never a guarantee that the ransomware actor will provide a decryption key as promised. Government officials hope that cutting off the flow of income to the threat actors will dry up their resources and discourage future attacks. (Axios, Reuters) 

**Atlassian elevated a recently disclosed vulnerability to the maximum severity rating after threat actors started exploiting it to deliver the Cerber ransomware.** CVE-2023-22518 is an improper authorization vulnerability in Confluence Data Center and Server, which first received a patch on Oct. 31. Adversaries can exploit this vulnerability on internet-facing Confluence servers by sending specially devised requests to setup-restore endpoints. Confluence accounts hosted in Atlassian’s cloud environment are not affected, according to the company. In its initial disclosure of CVE-2023-22518, Atlassian warned of “significant data loss if exploited” and said, “customers must take immediate action to protect their instances.” (SC Media, Ars Technica) 

**The Mozi botnet mysteriously has gone offline, and experts are unsure if the original creators are responsible.** Mozi was once a massive network that attackers used to carry out distributed denial-of-service (DDoS) attacks, data exfiltration and payload execution against internet-of-things (IoT) devices. Once one of the largest botnets in the world, it’s now essentially offline, according to security researchers. A kill switch seems to be the root cause, though it’s unclear if the operators did this on their own volition if they had their hand forced by law enforcement, or if another third party was involved. The kill switch code shares some code snippets with the original botnet, and whoever deployed it used the correct private keys to sign the payload. Botnets tend to still come back to life after reported takedowns, so there is no guarantee that Mozi is gone forever. (Dark Reading, The Register) 

**Can’t get enough Talos? **

*   Threat Roundup for Oct. 27 - Nov. 3 
*   Talos Takes Ep. #161 (XL Edition): The top incident response trends of Q3 
*   Cisco Talos researcher Nick Biasini on chasing APTs, mercenary hackers 
*   Cyber attackers are increasingly targeting web applications 

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

_Riyadh, Saudi Arabia_ 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

_Virtual (Please note: This presentation will only be given in German)_ 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf**   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

A new video series, Google Forms spam and the various gray areas of cyber attacks

By Waqas
OpenAI and ChatGPT began experiencing service outages on November 8th, and the company is actively working to restore full service.
This is a post from HackRead.com Read the original post: ChatGPT Down? OpenAI Blames Outages on DDoS Attacks

Is your ChatGPT down? Are you experiencing issues with ChatGPT, such as connectivity problems or encountering a ‘Network error on long responses’? – ChatGPT has been under a series of DDoS attacks, apparently orchestrated by Anonymous Sudan.

OpenAI’s ChatGPT, a popular AI-powered chatbot, has been experiencing outages for the past 24 hours due to distributed denial-of-service (DDoS) attacks. The company confirmed the attacks in a statement on its status website, saying that it is working to mitigate the attacks and restore full service.

> _“We are dealing with periodic outages due to an abnormal traffic pattern reflective of a DDoS attack. We are continuing to work to mitigate this.“_
> 
> OpenAI on Nov 08, 2023 – 19:49 PST

According to OpenAI CEO Sam Altman, as of this week, ChatGPT now boasts 100 million weekly active users. While this places ChatGPT as the most popular platform on the internet, it also renders it a lucrative target for cybercriminals and hacktivists.

OpenAI has not yet said when it expects the ChatGPT outages to be fully resolved. However, the company has assured users that it is working to resolve the issue as quickly as possible.

ChatGPT’s status page as of Nov 09, 2023

The ChatGPT outages have had a significant impact on users of the service. Many users have been unable to access ChatGPT at all, while others have experienced intermittent outages.

DDoS attacks are a type of cyberattack in which an attacker sends a large number of requests to a website or server in order to overwhelm it and make it unavailable to legitimate users. In the case of ChatGPT, the attackers are flooding the service with more requests than it can handle, causing it to go down.

****Anonymous Sudan Claims Responsibility****

_Hackread.com_ can confirm that the responsibility for the attacks on OpenAI’s infrastructure has been claimed by Anonymous Sudan. The group shared various screenshots on its Telegram channel, depicting examples where OpenAI’s website and ChatGPT’s dashboard experienced downtime or displayed various errors and connectivity issues.

The group further elaborated on their motives for targeting OpenAI and ChatGPT, highlighting the reasons behind their DDoS attacks on one of the most popular platforms globally. In a Telegram post, they stated that as they are specifically targeting American companies, OpenAI, being an American company, is naturally among their prime targets.

The group additionally cited another major reason for targeting OpenAI, pointing to its association with the state of Israel, its investment plans in Israel, and the recent meeting between OpenAI’s CEO, Sam Altman, and the Israeli Prime Minister, Benjamin Netanyahu. Emphasizing their support for the Palestinians, the group mentioned this as a significant rationale behind targeting OpenAI and ChatGPT.

For your information, Anonymous Sudan is a group of hacktivists who claim to be affiliated with the Anonymous collective. However, cybersecurity experts have cast doubt on these claims, suggesting that Anonymous Sudan may be a front for other Russian hacktivist groups.

Anonymous Sudan first emerged in January 2023, when they launched a series of DDoS attacks against Swedish and Danish organizations in response to the far-right activist Rasmus Paludan. In February 2023, Anonymous Sudan also **DDoSed Swedish SAS Airlines**.

The group has since claimed responsibility for a number of other DDoS attacks, including attacks against X (formerly Twitter), Microsoft, and other Western targets.

If you are a user of ChatGPT, there is not much you can do to prevent DDoS attacks. However, you can check the OpenAI status page for updates on the situation and to see if the service is available. You can also try accessing ChatGPT at different times of day, as the attacks may not be continuous.

**_RELATED ARTICLES_**

1.  **Hackers Target Israeli Rocket Alert App Users with Spyware**
2.  **10 Top DDoS Attack Protection and Mitigation Companies in 2023**
3.  **Google, Cloudflare and AWS Disclose Largest DDoS Attack in History**
4.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**
5.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
6.  **WormGPT – Malicious ChatGPT Alternative Empowering Cybercriminals**

Tag

#ddos