Robin’s Newsletter #278

15 October 2023. Volume 6, Issue 42
Hacktivism increases surrounding Israel-Gaza war. Rapid Reset leads to largest ever DDOS attacks. SEC opens probe into MOVEit software developer.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

‘Hacktivist’ groups on both sides of the Israel-Gaza war talk up cyberattacks

“Rapid Reset” leads to a DDOS attack 5.5x larger than any before

  • Google Cloud received an unprecedented 398 million requests per second (RPS) distributed denial of service (DDOS) attack in August, 5.5x the size of the previous most significant attack. For comparison, Google says that over 2 minutes, they saw the same number of requests as Wikipedia saw throughout September. Approximately 20,000 bots were involved in the attack, a relatively small number for the impact generated.
  • The attack made use of a new technique dubbed “Rapid Reset”, which exploit a ‘stream multiplexing’ feature in the HTTP/2 protocol. Multiple requests are sent to a target server before the connection is immediately reset. Because the requests are cancelled, the attackers can circumvent maximum request limits.
  • Cloudflare and Amazon Web Services both say they have been targeted by 201 million RPS and 155 million RPS attacks, respectively.
  • The vulnerability in HTTP/2 is being tracked as CVE-2023-44487 (CVSS 7.5/10)). A long tail of affected devices and software packages will require updates to address the denial of service condition within their applications.

SEC opens probe into Progress Software over MOVEit attacks

Interesting stats

From January 2023 to June 2023, the top three social media scams against Americans, according to the FTC were:

44% fraudulent online shopping purchases that cost victims on average $100,  20% fake investment opportunities which accounted for over half of the $658 million reported lost over the same period, and  6% romance scams.

Other news bits / in brief

  • FTX stored its customers’ funds in ‘hot wallets’ (connected to the Internet for easy access), and a team responding to a heist against the failing cryptocurrency exchange didn’t know where all the wallets were or how to manage access to them, according to a new piece from Andy Greenberg for Wired. Presumably, the attackers (suspected to be of Russian origin) had been operating within FTX’s network for some time and, with the writing on the wall, decided it was time to cash out:  

“A handful of staffers quickly joined that Google Meet video call, which would eventually grow to dozens of participants over the next 12 hours. They could all see FTX wallets being drained in real time on Etherscan. But almost no one on the call knew where exactly FTX stored its cryptocurrency or how it managed the secret keys that controlled those wallets.”

And finally


  Robin's Newsletter - Volume 6

  “Hacktism" Aonymous Sudan Killnet Gonjeshke Darande (Predatory Sparrow) Israel Distributed Denial of Service (DDOS) Rapid Reset Progress Software MOVEit FTX MageCart Catfishing Equifax Finland