This week
‘Hacktivist’ groups on both sides of the Israel-Gaza war talk up cyberattacks
- Hacktivist groups Anonymous Sudan and Killnet have announced campaigns against Israeli targets following the terrorist strike by Hamas. Both groups have been linked to Russia, with Anonymous Sudan suspected to be a front for state-sponsored attacks. In a statement on Telegram, Killnet said, “Government of Israel, you are to blame for this bloodshed. Back in 2022, you supported the terrorist regime of Ukraine. You betrayed Russia. Today Killnet officially informs you about it! All Israeli government systems will be subject to our attacks”.
- Meanwhile, Israel-linked Gonjeshke Darande (“Predatory Sparrow” in Persian) posted to Telegram and Twitter for the first time since January this week. A translation of the message reads “Do you think this is scary? We returned. We hope you’re following what is happening in Gaza.” In July 2022 the group posted footage of an attack against an Iranian steelworks (vol. 5, iss. 27
“Rapid Reset” leads to a DDOS attack 5.5x larger than any before
- Google Cloud received an unprecedented 398 million requests per second (RPS) distributed denial of service (DDOS) attack in August, 5.5x the size of the previous most significant attack. For comparison, Google says that over 2 minutes, they saw the same number of requests as Wikipedia saw throughout September. Approximately 20,000 bots were involved in the attack, a relatively small number for the impact generated.
- The attack made use of a new technique dubbed “Rapid Reset”, which exploit a ‘stream multiplexing’ feature in the HTTP/2 protocol. Multiple requests are sent to a target server before the connection is immediately reset. Because the requests are cancelled, the attackers can circumvent maximum request limits.
- Cloudflare and Amazon Web Services both say they have been targeted by 201 million RPS and 155 million RPS attacks, respectively.
- The vulnerability in HTTP/2 is being tracked as CVE-2023-44487 (CVSS 7.5/10)). A long tail of affected devices and software packages will require updates to address the denial of service condition within their applications.
SEC opens probe into Progress Software over MOVEit attacks
- The US Securities and Exchange Commission (SEC) has opened a probe into Progress Software over the mass compromise of the firm’s MOVEit file transfer solution. Progress Software says it intends to cooperate with the investigation fully, adding “the investigation does not mean that Progress or anyone else has violated federal securities laws,” in a regulatory filing.
- Advisory firm Kroll reckons that the Clop ransomware gang were likely sitting on the zero-day vulnerability (CVE-2023-34362) in MOVEit since 2021. Reviewing incident response logs, the analysts at Kroll have ‘high confidence’ that the same exploit was being used and developed in two cases dating back to July 2021 and April 2022.
Interesting stats
From January 2023 to June 2023, the top three social media scams against Americans, according to the FTC were:
44% fraudulent online shopping purchases that cost victims on average $100, 20% fake investment opportunities which accounted for over half of the $658 million reported lost over the same period, and 6% romance scams.
Other news bits / in brief
- FTX stored its customers’ funds in ‘hot wallets’ (connected to the Internet for easy access), and a team responding to a heist against the failing cryptocurrency exchange didn’t know where all the wallets were or how to manage access to them, according to a new piece from Andy Greenberg for Wired. Presumably, the attackers (suspected to be of Russian origin) had been operating within FTX’s network for some time and, with the writing on the wall, decided it was time to cash out:
“A handful of staffers quickly joined that Google Meet video call, which would eventually grow to dozens of participants over the next 12 hours. They could all see FTX wallets being drained in real time on Etherscan. But almost no one on the call knew where exactly FTX stored its cryptocurrency or how it managed the secret keys that controlled those wallets.”
-
AMC Entertainment CEO Adam Aron was caught up in a catfishing scam that attempted to extort him out of hundreds of thousands of dollars. Sakoya Blackwood, who perpetrated the extortion attempt, pleaded guilty to cyberstalking as part of a plea deal. Aron, who oversees AMC Theatres and Odeon Cinemas, posted on X (Twitter), “Rather than give in to blackmail, I personally engaged counsel and other professional advisors and reported the matter to law enforcement,” continuing “I did so knowing I risked personal embarrassment. But with my access to resources, if I did not stand up against blackmail, who could?”
-
British power and data cable business Volex has notified investors of “unauthorised access to its systems and data”, but that “all sites remain operational” and the financial consequences are “not expected to be material”.
-
Spanish airline Air Europa has written to customers advising them to cancel their payment cards after a breach exposing card numbers, expiration dates and CVV codes. This smells like the Magecart attack against British Airways, where the theft of similar data from 400,000 customers led to a £20 million GDPR fine (vol. 3, iss. 42).
-
Over 17,000 WordPress sites have been compromised by Balada Injector using cross-site scripting vulnerability in the premium Newspaper and Newmag themes.
-
ALPHV (BlackCat) has claims to have compromised Florida’s First Judicial Circuit court and stolen personal information of staff and judges, and remote access credentials.
-
A new Magecart card skimming technique hides in the 404 error pages of legitimate e-commerce sites, as a way to side-step monitoring of checkout pages.
-
LinkedIn Smart Links are being used in phishing messages to circumvent security controls. Smart Links, part of LinkedIn Sales Navigator suite of tools, act like a URL shortener and track user clicks, appearing to be links to the legitimate LinkedIn site
linkedin[.]com/slink?code=followed by eight characters. -
Cybercrime group Everest is offering cold hard cash to insiders for their remote access to US, Canadian and European businesses.
-
Fortinet says that Mirai has been engaged in a campaign to “dramatically expand” its botnet using an “aggressively updated arsenal of exploits”.
-
Finland’s Security and Intelligence Service (Supo) has warned that Russia is “currently treating Finland as a hostile country” and that operations against critical infrastructure have increased. Also this week, a subsea cable and gas pipeline in the Baltic Sea were damaged in apparent acts of sabotage. Finnish prime minister Petteri Orpo said it was “too early to draw conclusions” on who causes the damage.
-
Citrix NetScaler ADC and NetScaler Gateway instances that are configured to offer VPN or proxy services are vulnerable to “sensitive information disclosure” (see: Citrix’s security bulletin for CVE-2023-4967 (CVSS 9.4/10)).
-
A vulnerability in the open source curl package is fortunately only exploitable in rare circumstances.
-
Google now favours and defaults to passkeys over passwords for personal accounts.
-
Microsoft is phasing out VBScript — a favourite tool of Emotet and Bot for infecting users — and will switch to it being an opt-in feature until it’s removed.
-
The UK Financial Conduct Authority (FCA) has fined Equifax over £11 million ($13 million) for failing to protect UK customer data during the “entirely preventable” breach in 2017.
-
The US Environmental Protection Agency (EPA) will no longer require cyber security audits of water companies, citing litigation from Republican states and trade associations.
-
Singtel is selling its 98% stake in Trustwave for $205 million. The Singaporean telecommunications company acquired the cyber security company in 2015 for $770 million.
-
Gutsy has announced a mammoth $51 million seed round for a platform to map business processes and workflows and deliver cyber security insights.
-
Arctic Wolf intends to acquire SOAR platform Revelstoke to enable “ faster detections” and “automated response actions at scale”. Details of the deal are unknown, though Revelstoke has raised $38 million from investors.
-
Swiss startup Lakera has announced a $10 million funding round and promises to protect large language models (LLMs) from prompt injection and data leaks.
And finally
- A US Navy sailor pleaded guilty to selling military blueprints to China for at least $14,866. Petty Officer Wenheng Zhao, aka Thomas Zhao, faces up to twenty years in prison for the offences, which took place between August 2021 and May 2023. It’s a reminder that buying the information you want is sometimes cheaper than deploying sophisticated malware.