This posting is here to collect cyber security news in October 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
265 Comments
Tomi Engdahl says:
https://thehackernews.com/2023/10/security-patch-for-two-new-flaws-in.html
Tomi Engdahl says:
Kaksi troijalaista Suomen haittaohjelmien kärjessä syyskuussa
https://etn.fi/index.php/13-news/15415-kaksi-troijalaista-suomen-haittaohjelmien-kaerjessae-syysuussa
Check Point Software kertoo syyskuun haittaohjelmakatsauksessaan, että Formbook nousi maailman yleisimmäksi haitakkeeksi Qbotin alasajon jälkeen. Suomessa kaksi yleisintä riesa olivat Injuke- ja Nanocore-troijalaiset.
Check Pointin tutkimusosaston tutkijat kertovat, että Formbook nousi ensimmäiselle sijalle maailman yleisimpänä haittaohjelmana Qbotin alasajon jälkeen. FBI otti Qbotin bottiverkon hallintaansa elokuussa, mikä johti sen putoamiseen listakärjestä, johon Qbot sijoittui suurimman osan vuotta 2023.
Check Point Research havaitsi syyskuussa myös merkittävän tietojenkalastelukampanjan, joka kohdistui yli 40 suureen yritykseen useilla toimialoilla Kolumbiassa. Sen tavoitteena oli asentaa Remcos-etäkäyttötroijalainen huomaamattomasti uhrien tietokoneisiin. Remcos, joka oli syyskuussa maailman toiseksi ja Suomen yhdeksänneksi yleisin haittaohjelma, antaa hakkerille täyden hallinnan tartunnan saaneeseen tietokoneeseen mahdollistaen esimerkiksi tietovarkaudet ja käyttäjätilien kaappaukset.
Tomi Engdahl says:
High-Severity Flaws in ConnectedIO’s 3G/4G Routers Raise Concerns for IoT Security
https://thehackernews.com/2023/10/high-severity-flaws-in-connectedios.html
Multiple high-severity security vulnerabilities have been disclosed in ConnectedIO’s ER2000 edge routers and the cloud-based management platform that could be exploited by malicious actors to execute malicious code and access sensitive data.
“An attacker could have leveraged these flaws to fully compromise the cloud infrastructure, remotely execute code, and leak all customer and device information,” Claroty’s Noam Moshe said in an analysis published last week.
Vulnerabilities in 3G/4G routers could expose thousands of internal networks to severe threats, enabling bad actors to seize control, intercept traffic, and even infiltrate Extended Internet of Things (XIoT) things.
Tomi Engdahl says:
Norjalainen tutkimuslaitos havaitsi tärinää päivänä, jolloin kaasuputkivuoto alkoi
https://yle.fi/a/74-20054483
Suomen ja Viron välisessä Balticconnector-kaasuputkessa huomattiin vuoto sunnuntaiyönä 8. lokakuuta. Myös merenalainen tietoliikennekaapeli on katkennut.
Valtionjohto ja viranomaiset järjestivät tiistaina yllättäen tiedotustilaisuuden, jossa kerrottiin, että putkea ja kaapelia on todennäköisesti vahingoitettu tarkoituksella.
Tomi Engdahl says:
October 2023 Microsoft Patch Tuesday Summary
https://isc.sans.edu/diary/October+2023+Microsoft+Patch+Tuesday+Summary/30300
For October, Microsoft released patches for 105 different vulnerabilities.
This count includes one Chromium vulnerability that was patched earlier this month.
There are a total of three already exploited vulnerabilities:
CVE-2023-44487 HTTP/2 Rapid Reset Attack
CVE-2023-36563 Wordpad Information Disclosure
CVE-2023-41763: Skype for Business elevation of privileges
Noteworthy are the nine critical vulnerabilities in the Layer 2 Tunneling protocol and the vulnerabilities in the Microsoft Message Queue (one with a CVSS score of 9.8). These two components received numerous patches for the last couple of months.
Overall, I would rate this patch Tuesday as “average.” There are no “outrageously important” vulnerabilities to patch.
Tomi Engdahl says:
HTTP/2 Zero-Day Vulnerability Results in Record-Breaking DDoS Attacks https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
Earlier today, Cloudflare, along with Google and Amazon AWS, disclosed the existence of a novel zero-day vulnerability dubbed the “HTTP/2 Rapid Reset”
attack. This attack exploits a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric Distributed Denial of Service (DDoS) attacks.
Cloudflare has mitigated a barrage of these attacks in recent months, including an attack three times larger than any previous attack we’ve observed, which exceeded 201 million requests per second (rps). Since the end of August 2023, Cloudflare has mitigated more than 1,100 other attacks with over 10 million rps — and 184 attacks that were greater than our previous DDoS record of 71 million rps.
also:
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
also:
https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
Tomi Engdahl says:
New critical Citrix NetScaler flaw exposes ‘sensitive’ data https://www.bleepingcomputer.com/news/security/new-critical-citrix-netscaler-flaw-exposes-sensitive-data/
Citrix NetScaler ADC and NetScaler Gateway are impacted by a critical severity flaw that allows the disclosure of sensitive information from vulnerable appliances. The flaw is tracked as CVE-2023-4966 and has received a CVSS rating of 9.4, being remotely exploitable without requiring high privileges, user interaction, or high complexity.
However, there’s the prerequisite of the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server for it to be vulnerable to attacks. While the flaw’s exploitation can lead to “sensitive information disclosure,” the vendor has not provided any details about what information is exposed.
Tomi Engdahl says:
Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability https://arstechnica.com/security/2023/10/thousands-of-wordpress-sites-have-been-hacked-through-tagdiv-plugin-vulnerability/
Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin.
The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than
155,000 downloads.
Tracked as CVE-2023-3169, the vulnerability is what’s known as a cross-site scripting (XSS) flaw that allows hackers to inject malicious code into webpages. Discovered by Vietnamese researcher Truoc Phan, the vulnerability carries a severity rating of 7.1 out of a possible 10. It was partially fixed in tagDiv Composer version 4.1 and fully patched in 4.2.
Tomi Engdahl says:
Grayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks
A previously unknown advanced persistent threat (APT) group used custom malware and multiple publicly available tools to target a number of organizations in the manufacturing, IT, and biomedical sectors in Taiwan.
The Symantec Threat Hunter Team, part of Broadcom, has attributed this activity to a new group we are calling Grayling. This activity stood out due to the use by Grayling of a distinctive DLL sideloading technique that uses a custom decryptor to deploy payloads. The motivation driving this activity appears to be intelligence gathering.
Tomi Engdahl says:
Former US Cyber Director Inglis on Israel, Russia and ONCD’s future
https://therecord.media/chris-inglis-interview-predict-2023
Chris Inglis, the first-ever national cyber director, said Tuesday that cyberattacks would likely become a part of the unfolding conflict between Israel and Hamas, but he is confident in Israel’s ability to defend itself both on the battlefield and in cyberspace.
“Cyber is involved in everything… it’s certainly involved in this and I think in two ways,” said Inglis, who stepped down from his post in February. “One, cyber, the digital infrastructure, is being used to synchronize, coordinate activities, whether that’s diplomacy or actions on the battlefield, and therefore needs to work well, needs to work with optimal performance.”
The other front is the “information war” between the two sides to push their perspectives, according to Inglis.
Tomi Engdahl says:
Hacktivists send fake nuclear attack warning via Israeli Red Alert app https://www.bitdefender.com/blog/hotforsecurity/hacktivists-send-fake-nuclear-attack-warning-via-israeli-red-alert-app/
Hackers have exploited a flaw in a widely-used app that warns of missile attacks against Israel to send a fake alert that a nuclear strike is imminent.
The AnonGhost hacktivist group said on its Telegram channel that it had managed to breach the “Red Alert” app to send a warning that “The Nuclear Bomb is coming” and distribute notifications saying “death to Israel.”
Tomi Engdahl says:
Social media platforms foment disinformation about war in Israel https://therecord.media/social-media-platforms-foment-disinfo-israel
Video game clips purporting to be footage of a Hamas fighter shooting down an Israeli helicopter. Phony X accounts spreading fake news through fictitious BBC and Jerusalem Post “journalists.” An Algerian fireworks celebration described as Israeli strikes.
These are just a few examples of the disinformation swirling around the conflict between Hamas and Israel, much of which has been enabled by X, formerly known as Twitter, and by platforms like Meta and Telegram.
Tomi Engdahl says:
Air Europa customers urged to cancel cards following hack on payment system https://therecord.media/air-europa-cyberattack-payment-cards
Customers of Spanish airline Air Europa were on Tuesday advised by the company to cancel their credit cards following a cyberattack affecting its online payment system.
The company, based on the island of Mallorca, did not announce how many customers were affected nor when the attack took place.
Tomi Engdahl says:
Critically Close to Zero(Day): Exploiting Microsoft Kernel Streaming Service https://securityintelligence.com/posts/critically-close-to-zero-day-exploiting-microsoft-kernel-streaming-service/
Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM.
This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit.
Tomi Engdahl says:
CISA, FBI, NSA, and Treasury Release Guidance on OSS in IT/ICS Environments https://www.cisa.gov/news-events/alerts/2023/10/10/cisa-fbi-nsa-and-treasury-release-guidance-oss-itics-environments
Today, CISA, the Federal Bureau of Investigation, the National Security Agency, and the U.S. Department of the Treasury released guidance on improving the security of open source software (OSS) in operational technology (OT) and industrial control systems (ICS).
Tomi Engdahl says:
APPLICATION SECURITY
Microsoft Fixes Exploited Zero-Days in WordPad, Skype for Business
https://www.securityweek.com/microsoft-fixes-exploited-zero-days-in-wordpad-skype-for-business/
Microsoft patches more than 100 vulnerabilities across the Windows ecosystem and warned that three are already being exploited in the wild.
Microsoft’s security response team on Tuesday pushed out a massive batch of software and OS updates to cover more than 100 vulnerabilities across the Windows ecosystem and warned that three of the flaws are already being exploited in the wild.
As part of the scheduled batch of Patch Tuesday fixes, Microsoft joined with tech giants AWS, Google and Cloudflare to address the ‘HTTP/2 Rapid Reset’ zero-day (see separate SecurityWeek coverage) that exposed the internet to massive DDoS attacks.
In addition, the Redmond, Wash. software giant called attention to a pair of zero-days — in Microsoft WordPad and Skype for Business — that are being exploited in the wild.
The WordPad bug, tracked as CVE-2023-36563, is described as an information disclosure issue that allows the disclosure of NTLM hashes.
Microsoft credited the discovery to its own threat intelligence team, suggesting it was being used in malware attacks via maliciously crafted URLs or files.
Tomi Engdahl says:
By Sayan Sen – There are quite a few ways to bypass the stringent system requirements of Windows 11 like those involving registry tweaks or using third-party tools. Recently, a new way to bypass has been discovered. #Windows11 #Microsoft #TPM
https://www.neowin.net/news/windows-11-system-requirements-tpm-cpu-can-be-bypassed-via-this-single-command/?fbclid=IwAR0PTBJ6B2PZbzbcg7p63KxU2XvccAMNGXjk67Nhm7h2dAu0_KN_3yPEMRo
Aside from CPUs, TPM version 2.0 was also made mandatory. Again, Microsoft reasoned that such were the strict security characteristics Windows 11 brought.
Regardless, people have continued to use bypasses so as to install Windows 11 on unsupported hardware. Highly popular third-party utilities also started providing the service. First, it was Rufus which added the bypass as early as October of 2021 itself when the OS became generally available. Later on, it was expanded to include in-place upgrades as well, and even more soon after that.
After this, Ventoy joined in too as added options to bypass requirements. Although not as popular as these two, WinToUSB also added bypass support earlier this year. Interestingly, Microsoft too, made a registry bypass official, though with a fair amount of warning.
In related news, in case you missed it, currently the upcoming Windows 11 23H2′s system requirements is in the certification and compliance phase.
The Microsoft workaround or registry bypass for the unsupported TPM seems like a default registry setting or values for the OEMs so the 23H2 will be get implemented on the near future for the TPM 1.2 specification also as a minimum system requirements for business customers.
https://www.neowin.net/news/microsoft-begins-ensuring-windows-11-23h2-minimum-system-requirements-compatibility/
Tomi Engdahl says:
NETWORK SECURITY
‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Largest DDoS Attacks in History
https://www.securityweek.com/rapid-reset-zero-day-exploited-to-launch-largest-ddos-attacks-in-history/
A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.
Cloudflare, Google and AWS revealed on Tuesday that a new zero-day vulnerability named ‘HTTP/2 Rapid Reset’ has been exploited by malicious actors to launch the largest distributed denial-of-service (DDoS) attacks in internet history.
Cloudflare started analyzing the attack method and the underlying vulnerability in late August. The company says an unknown threat actor has exploited a weakness in the widely used HTTP/2 protocol to launch “enormous, hyper-volumetric” DDoS attacks.
One of the attacks seen by Cloudflare was three times larger than the record-breaking 71 million requests per second (RPS) attack reported by company in February. Specifically, the HTTP/2 Rapid Reset DDoS campaign peaked at 201 million RPS.
The company noted that the record-breaking attack aimed at its customers leveraged a botnet of only 20,000 compromised devices. The web security firm regularly sees attacks launched by botnets powered by hundreds of thousands and even millions of machines.
The underlying vulnerability, which is believed to impact every web server implementing HTTP/2, is tracked as CVE-2023-44487 and it has been assigned a ‘high severity’ rating with a CVSS score of 7.5.
Cloudflare and Google have published blog posts providing technical details on the HTTP/2 Rapid Reset attack. AWS has also published a blog post describing the HTTP/2 Rapid Reset attacks it has observed.
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.
The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.
In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource.
In the weeks after the initial DDoS attacks, we have seen some Rapid Reset attack variants. These variants are generally not as efficient as the initial version was, but might still be more efficient than standard HTTP/2 DDoS attacks.
A multifaceted approach to mitigations
We don’t expect that simply blocking individual requests is a viable mitigation against this class of attacks — instead the entire TCP connection needs to be closed when abuse is detected. HTTP/2 provides built-in support for closing connections, using the GOAWAY frame type. The RFC defines a process for gracefully closing a connection that involves first sending an informational GOAWAY that does not set a limit on opening new streams, and one round trip later sending another that forbids opening additional streams.
However, this graceful GOAWAY process is usually not implemented in a way which is robust against malicious clients. This form of mitigation leaves the connection vulnerable to Rapid Reset attacks for too long, and should not be used for building mitigations as it does not stop the inbound requests. Instead, the GOAWAY should be set up to limit stream creation immediately.
This leaves the question of deciding which connections are abusive. The client canceling requests is not inherently abusive, the feature exists in the HTTP/2 protocol to help better manage request processing. Typical situations are when a browser no longer needs a resource it had requested due to the user navigating away from the page, or applications using a long polling approach with a client-side timeout.
Mitigations for this attack vector can take multiple forms, but mostly center around tracking connection statistics and using various signals and business logic to determine how useful each connection is. For example, if a connection has more than 100 requests with more than 50% of the given requests canceled, it could be a candidate for a mitigation response. The magnitude and type of response depends on the risk to each platform, but responses can range from forceful GOAWAY frames as discussed before to closing the TCP connection immediately.
To mitigate against the non-cancelling variant of this attack, we recommend that HTTP/2 servers should close connections that exceed the concurrent stream limit. This can be either immediately or after some small number of repeat offenses.
Applicability to other protocols
We do not believe these attack methods translate directly to HTTP/3 (QUIC) due to protocol differences, and Google does not currently see HTTP/3 used as a DDoS attack vector at scale. Despite that, our recommendation is for HTTP/3 server implementations to proactively implement mechanisms to limit the amount of work done by a single transport connection, similar to the HTTP/2 mitigations discussed above.
How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
A number of Google services and Cloud customers have been targeted with a novel HTTP/2-based DDoS attack which peaked in August. These attacks were significantly larger than any previously-reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second.
The attacks were largely stopped at the edge of our network by Google’s global load balancing infrastructure and did not lead to any outages. While the impact was minimal, Google’s DDoS Response Team reviewed the attacks and added additional protections to further mitigate similar attacks. In addition to Google’s internal response, we helped lead a coordinated disclosure process with industry partners to address the new HTTP/2 vector across the ecosystem.
Below, we explain the predominant methodology for Layer 7 attacks over the last few years, what changed in these new attacks to make them so much larger, and the mitigation strategies we believe are effective against this attack type. This article is written from the perspective of a reverse proxy architecture, where the HTTP request is terminated by a reverse proxy that forwards requests to other services. The same concepts apply to HTTP servers that are integrated into the application server, but with slightly different considerations which potentially lead to different mitigation strategies.
The HTTP/2 Rapid Reset attack
The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.
This attack is called Rapid Reset because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open.
Tomi Engdahl says:
HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks
https://thehackernews.com/2023/10/http2-rapid-reset-zero-day.html?fbclid=IwAR3Ab2_0R7Rmj4_RlxqQlSTpOw6q9gIXoxmm60fryqe2ng_oCOfSftxxKPo&m=1
Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset.
The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487, and carries a CVSS score of 7.5 out of a maximum of 10.
While the attacks aimed at Google’s cloud infrastructure peaked at 398 million requests per second (RPS), the ones that struck AWS and Cloudflare exceeded a volume of 155 million and 201 million RPS, respectively.
“HTTP/2 rapid reset attacks consist of multiple HTTP/2 connections with requests and resets in rapid succession,” Mark Ryland and Tom Scholl at AWS said.
Put differently, by initiating hundreds of thousands of HTTP/2 streams and rapidly canceling them at scale over an established connection, threat actors can overwhelm websites and knock them offline. Another crucial aspect is that such attacks can be pulled off using a modestly-sized botnet, something to the tune of 20,000 machines as observed by Cloudflare.
“This zero-day provided threat actors with a critical new tool in their Swiss Army knife of vulnerabilities to exploit and attack their victims at a magnitude that has never been seen before,” Grant Bourzikas, chief security officer at Cloudflare, said.
HTTP/2 is used by 35.6% of all the websites, according to W3Techs. The percentage of requests that use HTTP/2 is at 77%, per data shared by Web Almanac.
Google Cloud said it has observed multiple variants of the Rapid Reset attacks that while not as effective as the initial version, are more efficient than the standard HTTP/2 DDoS attacks.
Tomi Engdahl says:
MALWARE & THREATSMirai Variant IZ1H9 Adds 13 Exploits to Arsenal
https://www.securityweek.com/mirai-variant-iz1h9-adds-13-exploits-to-arsenal/
A Mirai botnet variant tracked as IZ1H9 has updated its arsenal with 13 exploits targeting various routers, IP cameras, and other IoT devices.
A variant of the Mirai botnet has recently updated its arsenal of tools with 13 exploits targeting vulnerabilities in IoT devices from D-Link, TP-Link, Zyxel, and various other manufactures, Fortinet reports.
Tracked as IZ1H9 and first discovered in August 2018, this Mirai variant is one of the most active, exploiting unpatched vulnerabilities in IoT devices to ensnare them and abuse them in distributed denial-of-service (DDoS) attacks.
Following the addition of exploits for several new security bugs earlier this year, IZ1H9 has recently expanded its arsenal once again, now packing approximately 30 exploits for D-Link, Geutebruck, Korenix, Netis, Sunhillo, Totolink, TP-Link, Yealink, and Zyxel flaws.
Exploitation of these vulnerabilities peaked on September 6, when Fortinet saw thousands of attack attempts.
Of the newly added exploits, four target D-Link issues tracked as CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382. These critical-severity flaws allow remote attackers to execute arbitrary code on affected devices.
According to Fortinet, eight other exploits target arbitrary command execution bugs impacting the firmware that UDP Technology supplies to Geutebruck and other OEMs for their IP cameras.
Tomi Engdahl says:
https://techcrunch.com/2023/10/10/23andme-resets-user-passwords-after-genetic-data-posted-online/?fbclid=IwAR0OeV9zew2DKXbutVuYqURhO3PBedJrit8JSwxxLqqE5u58738iULgja48
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-announces-plans-to-kill-vbscript-malware-delivery/?fbclid=IwAR0bDF-auyNloDaK7-s1Verv0P2tyrZcSm_5h9rvpJYEiGpiaQYMcTuSFJE
Tomi Engdahl says:
Venäläinen hakkeriryhmä ottaa nimiinsä keskiviikkona tehdyt palvelunestohyökkäykset https://www.hs.fi/kotimaa/art-2000009916111.html
Hyökkäyksiä tehtiin ainakin Verohallinnon, Traficomin, Kyberturvallisuuskeskuksen sekä Expressbus-liikenneyhtiön verkkosivuille.
Hyökkäykset aiheuttavat verkkopalvelujen hidastumista ja muita häiriöitä niiden toiminnoissa.
HAKKERIRYHMÄ kertoi keskiviikkona hyökkäysten syyksi ulkoministeriön myöntämät tukipaketit Ukrainaan. Yhteydestä viime sunnuntaina tapahtuneeseen Balticconnector-kaasuputken räjäyttämiseen ei ole viitteitä, kertoo Traficomin tietoturva-asiantuntija Samuli Könönen.
”Haktivistiryhmän toiminta on sellaista, että he tekevät joka päivä palvelunestohyökkäyksiä jossain päin maailmaa. Tänään vuorossa on jälleen ollut Suomi.”
Tomi Engdahl says:
Elisan turvallisuusjohtaja kertoo vikaantuneesta merikaapelista: ”vaatii järeitä työkaluja”
https://www.tivi.fi/uutiset/tv/2528bc95-763e-4814-8829-d3841b53cba8
Merikaapelit vaurioituvat tyypillisesti myrskyssä hätäankkuroinnin seurauksena, sanoo Elisan turvallisuusjohtaja.
Kaapelin toiminta lakkasi ja teknisten mittausten perusteella kaapelissa on katko, Elisan turvallisuusjohtaja Jaakko Wallenius sanoo. Alueella olevat korjausalukset eivät pysty toimimaan merenkäynnin takia.
Walleniuksen mukaan kaapeli on vahvaa tekoa. Halkaisija on joitain senttejä.
Sisällä ovat kuidut, joissa tietoliikenne kulkee. Kuitujen päällä on eristekerroksia ja panssarointina suojakerroksia. Terässuojausta on useampi kerros. Kuidut on eristetty ja tiivistetty siten, ettei niihin pääse vettä.
”Se kestää normaalit merenpohjan olosuhteet hyvin, mutta jos siihen paljon ylimääräistä voimaa kohdistuu, sitä se ei kestä.”
Tomi Engdahl says:
CVE-2023-38545: curl SOCKS5 oversized hostname vulnerability. How bad is it?
https://isc.sans.edu/diary/CVE202338545+curl+SOCKS5+oversized+hostname+vulnerability+How+bad+is+it/30304
The vulnerability is a heap-based buffer overflow, which may lead to arbitrary code execution. Modern operating systems should make exploitation of heap-based buffer overflows more difficult, but exploitation is possible.
This is only a valid exploit if you take unvalidated data and create an HTTP request via a SOCKS5 proxy to a hostname created from the unvalidated data. My recommendation is to upgrade without haste.
I rate the probability of this happening in actual code as very low. If you accept data, not validate it, and just blindly pass it to libraries like curl, you will likely have other problems that are easier to exploit.
Tomi Engdahl says:
Microsoft Warns of Nation-State Hackers Exploiting Critical Atlassian Confluence Vulnerability https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html
Microsoft has linked the exploitation of a recently disclosed critical flaw in Atlassian Confluence Data Center and Server to a nation-state actor it tracks as Storm-0062 (aka DarkShadow or Oro0lxy).
The tech giant’s threat intelligence team said it observed in-the-wild abuse of the vulnerability since September 14, 2023.
“CVE-2023-22515 is a critical privilege escalation vulnerability in Atlassian Confluence Data Center and Server,” the company noted in a series of posts on X (formerly Twitter).
“Any device with a network connection to a vulnerable application can exploit
CVE-2023-22515 to create a Confluence administrator account within the application.”
Tomi Engdahl says:
U.S. Cybersecurity Agency Warns of Actively Exploited Adobe Acrobat Reader Vulnerability https://thehackernews.com/2023/10/us-cybersecurity-agency-warns-of.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Tracked as CVE-2023-21608 (CVSS score: 7.8), the vulnerability has been described as a use-after-free bug that can be exploited to achieve remote code execution (RCE) with the privileges of the current user.
Tomi Engdahl says:
Rikolliset kuriin tekoälyn avulla – kyberhuoltovarmuus koetuksella LähiTapiolan Hack Dayssa https://www.epressi.com/tiedotteet/vakuutus/rikolliset-kuriin-tekoalyn-avulla-kyberhuoltovarmuus-koetuksella-lahitapiolan-hack-dayssa.html
Suomen parhaat hyvishakkerit kokoontuvat lauantaina 14. lokakuuta LähiTapiolan järjestämään Hack Day -tapahtumaan etsimään tietoturvauhkia yhteiskunnalle kriittisestä infrastruktuurista. Tietoturvatestattavana on LähiTapiolan järjestelmien lisäksi myös Vaisalan meteorologinen sääasema. Tekoäly on yksi keskeisin väline testauksessa. Sen rooli rikollisten toiminnassa, mutta myös pitkäkyntisten torjunnassa, kasvaa kohisten.
Tomi Engdahl says:
Kempower kutsui hakkerit toimistolleen – tietoturvaa paranneltiin entisestään https://www.tivi.fi/uutiset/tv/239d8ece-82fc-4e97-a508-5d4cb21c7f1a
[TILAAJILLE]
Sähköajoneuvojen pikalatausratkaisuja suunnitteleva ja valmistava Kempower järjesti ensimmäisen Hack Day -tapahtumansa syyskuussa Lahdessa sijaitsevalla pääkonttorillaan. Yhtiö pyrki testaamaan tapahtuman avulla latausratkaisujen ja -ohjelmiston kyberturvallisuuden. Kempower aikoo löydösten avulla parantaa asiakkaiden tietoturvaa ja -suojaa.
”Kempowerilla kyberturvallisuus ja tietoturva luovat perustan liiketoimintamme luotettavuudelle ja tämä tapahtuma oli erinomainen mahdollisuus laittaa korkeat standardimme testiin”, Kempowerin tietohallintojohtaja Pete Nieminen kertoo tiedotteessa.
Tomi Engdahl says:
Hamas Attacks, Israel Bombs Gaza and Misinformation Surges Online https://www.bellingcat.com/news/2023/10/11/hamas-attacks-israel-bombs-gaza-and-misinformation-surges-online/
In recent days, viral social media posts have presented years-old footage, or footage from entirely different conflict zones, as depicting the latest Israeli bombing of Gaza. They have baselessly claimed that a video of a lost girl in an Arabic-speaking country is an Israeli hostage in Gaza and have presented flares lit by Algerian football fans as the lights and explosions of a warzone. These are but a few examples.
Tomi Engdahl says:
ICS Patch Tuesday: Siemens Ruggedcom Devices Affected by Nozomi Component Flaws
https://www.securityweek.com/ics-patch-tuesday-siemens-ruggedcom-devices-affected-by-nozomi-component-flaws/
ICS Patch Tuesday: Siemens and Schneider Electric release over a dozen advisories addressing more than 40 vulnerabilities
Siemens and Schneider Electric’s Patch Tuesday advisories for October 2023 address more than 40 vulnerabilities affecting their products.
Siemens
Siemens has published a dozen new advisories addressing 41 vulnerabilities.
One advisory describes seven vulnerabilities affecting Siemens’ Ruggedcom APE1808 industrial application hosting platform, which is made for running third-party software in harsh, mission-critical environments.
The vulnerabilities exist in a product made by industrial and IoT cybersecurity firm Nozomi Networks, specifically the firm’s Guardian product, which is designed to provide asset inventory and network visibility, and the Central Management Console (CMC), which aggregates Guardian sensor data.
Nozomi patched the vulnerabilities in its products in early August with the release of Guardian/CMC version 22.6.2. Siemens is working on patches for its Ruggedcom product and in the meantime it has provided workarounds and mitigations that can be used to prevent exploitation.
The vulnerabilities can be exploited to obtain information, execute arbitrary JavaScript code, hijack user sessions, and cause a denial-of-service (DoS) condition.
However, all of the Nozomi product vulnerabilities require authentication and some of them require elevated privileges for exploitation. Only two of them have been assigned ‘high’ severity ratings based on their CVSS score — the rest are ‘medium’ and ‘low’ — but Nozomi says even the high-severity issues actually have a ‘medium’ risk level for its customers.
Three of Siemens’ new advisories address critical vulnerabilities that have been patched by the industrial giant. One of them describes Scalance W1750D flaws that were previously found in Aruba products. The Scalance W1750D is actually a brand-labeled device from HPE-owned Aruba.
A ‘critical’ severity rating has also been assigned to CVE-2023-43625, a Simcenter Amesim bug that can allow an unauthenticated, remote attacker to execute arbitrary code using DLL injections.
The third ‘critical’ advisory describes CVE-2023-36380, a hardcoded ID in the SSH ‘authorized_keys’ configuration file of Sicam A8000 remote terminal units (RTUs). In certain circumstances, an attacker who knows the corresponding credentials could access the device via SSH.
High-severity vulnerabilities have been addressed in Sinema Server (code execution via XSS), Sicam PAS/PQS (local privilege escalation), Siemens Xpedition Layout Browser (code execution, DoS), Sinec NMS (code injection, XSS), Tecnomatix Plant Simulation (code execution or DoS via malicious files), and Sicam A8000 RTUs (privilege escalation).
Tomi Engdahl says:
ICS/OT
Critical SOCKS5 Vulnerability in cURL Puts Enterprise Systems at Risk
https://www.securityweek.com/critical-socks5-vulnerability-in-curl-puts-enterprise-systems-at-risk/
Flaw poses a direct threat to the SOCKS5 proxy handshake process in cURL and can be exploited remotely in some non-standard configurations.
The maintainers of the cURL data transfer project on Wednesday rolled out patches for a severe memory corruption vulnerability that exposes millions of enterprise OSes, applications and devices to malicious hacker attacks.
According to an high-risk bulletin, the flaw poses a direct threat to the SOCKS5 proxy handshake process in cURL and can be exploited remotely in some non-standard configurations.
The bug, tracked as CVE-2023-38545, exists in the libcurl library that handles data exchange between devices and servers.
From the advisory:
“When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes.
If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means “let the host resolve the name” could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.”
Swedish open source developer and curl maintainer Daniel Stenberg explained that the bug was introduced in February 2020 during related coding work on cURL’s SOCKS5 support.
“This problem is the worst security problem found in [libcurl] in a long time,” Stenberg said. The issue was reported via the HackerOne platform by Jay Satiro and paid out $4,600, the largest cURL bug bounty to date.
Tomi Engdahl says:
Payment Card Data Stolen in Air Europa Hack
Spanish airline Air Europa is informing customers that their payment card information has been stolen as a result of a hacker attack.
https://www.securityweek.com/payment-card-data-stolen-in-air-europa-hack/
Tomi Engdahl says:
Organizations Respond to HTTP/2 Zero-Day Exploited for DDoS Attacks
https://www.securityweek.com/organizations-respond-to-http-2-zero-day-exploited-for-ddos-attacks/
Organizations respond to HTTP/2 Rapid Reset zero-day vulnerability exploited to launch the largest DDoS attacks seen to date.
Major tech companies and other organizations have rushed to respond to the newly disclosed HTTP/2 zero-day vulnerability that has been exploited to launch the largest distributed denial-of-service (DDoS) attacks seen to date.
The existence of the attack method, named HTTP/2 Rapid Reset, and the underlying vulnerability, tracked as CVE-2023-44487, were disclosed on Tuesday by Cloudflare, AWS and Google.
Each of the tech giants saw DDoS attacks aimed at customers peaking at hundreds of millions of requests per second, far more than they had previously seen. One noteworthy aspect is that the attacks came from relatively small botnets powered by just tens of thousands of devices.
While their existing DDoS protections were largely able to block the attacks, Google, Cloudflare and AWS implemented additional mitigations for this specific attack vector. In addition, they notified web server software companies, which have started working on patches.
NETWORK SECURITY‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Largest DDoS Attacks in History
https://www.securityweek.com/rapid-reset-zero-day-exploited-to-launch-largest-ddos-attacks-in-history/
Tomi Engdahl says:
DarkGate Opens Organizations for Attack via Skype, Teams https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html
We detail an ongoing campaign abusing messaging platforms Skype and Teams to distribute the DarkGate malware to targeted organizations. We also discovered that once DarkGate is installed on the victim’s system, additional payloads were introduced to the environment.
Tomi Engdahl says:
Ransomware review: October 2023
https://www.malwarebytes.com/blog/threat-intelligence/2023/10/ransomware-review-october-2023
This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.
Tomi Engdahl says:
ShellBot DDoS Malware Installed Through Hexadecimal Notation Addresses https://asec.ahnlab.com/en/57635/
AhnLab Security Emergency response Center (ASEC) has recently discovered a change in the distribution method of the ShellBot malware, which is being installed on poorly managed Linux SSH servers. The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value.
Tomi Engdahl says:
Ransomware Roundup – Akira
https://www.fortinet.com/blog/threat-research/ransomware-roundup-akira
Akira is a relatively new ransomware variant with Windows and Linux versions that came out in April 2023. Like many attackers, the gang behind this variant only uses the ransomware to encrypt files after first breaking into a network and stealing data. This group also employs a double extortion tactic, demanding a ransom from victims in exchange for file decryption and not leaking stolen information to the public.
Tomi Engdahl says:
Syyskuun Kybersäässä sateisuutta aiheuttivat huijauspuhelut sekä palvelunestohyökkäykset
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kybersaa_09/2023
Syyskuu oli huijauspuhelujen sekä palvelunestohyökkäysten värittämä.
Väärennetyistä numeroista soitettuja huijauspuheluja ilmoitettiin jopa ennätysmäärä ennen lokakuun alussa voimaantullutta Traficomin määräystä.
Kuukauden valonpilkahduksena olivat vähentyneet ilmoitusmäärät tietomurroista, tietomurron yrityksistä ja tietovuodoista.
Tomi Engdahl says:
How to Scan Your Environment for Vulnerable Versions of Curl https://www.darkreading.com/dr-tech/how-to-scan-environment-vulnerable-curl
This Tech Tip outlines how enterprise defenders can mitigate the risks of the curl and libcurl vulnerabilities in their environments.
Security teams don’t have to swing into crisis mode to address the recently fixed vulnerabilities in the command-line tool curl and the libcurl library, but that doesn’t mean they don’t have to worry about identifying and remediating impacted systems. If the systems are not immediately exploitable, security teams have some time to make those updates.
This Tech Tip aggregates guidance on what security teams need to do to ensure they aren’t at risk.
Curl Bug Hype Fizzles After Patching Reveal
Touted for days as potentially catastrophic, the curl flaws only impact a narrow set of deployments.
https://www.darkreading.com/vulnerabilities-threats/curl-bug-hype-fizzles-after-patching-reveal
For days now, the cybersecurity community has waited anxiously for the big reveal about two security flaws that, according to curl founder Daniel Stenberg, included one that was likely “the worst curl security flaw in a long time.”
Curl is an open source proxy resolution tool used as a “middle man” to transfer files between various protocols, which is present in literally billions of application instances. The suggestion of a massive open source library flaw evoked memories of the catastrophic log4j flaw from 2021. As Alex Ilgayev, head of security research at Cycode, worried, “the vulnerability in the curl library might prove to be more challenging than the Log4j incident two years ago.”
But following today’s unveiling of patches and bug details, neither vulnerability lived up to the hype. However, it’s still important for organizations to uncover whether the bugs are present in their environments (Dark Reading’s latest Tech Tip covers how to scan environments for the curl vulnerabilities), and remediate accordingly.
How to Scan Your Environment for Vulnerable Versions of Curl
This Tech Tip outlines how enterprise defenders can mitigate the risks of the curl and libcurl vulnerabilities in their environments.
https://www.darkreading.com/dr-tech/how-to-scan-environment-vulnerable-curl
A foundational networking tool for Unix and Linux systems, cURL is used in command lines and scripts to transfer data. Its prevalence is due to the fact that it is used as both a standalone utility (curl) as well as a library that is included in many different types of applications (libcurl). The libcurl library, which allows developers to access curl APIs from their own code, can be introduced directly into the code, used as a dependency, used as part of an operating system bundle, included as part of a Docker container, or installed on a Kubernetes cluster node.
According to Yair Mizrahi, a senior security researcher at JFrog, the libcurl library is vulnerable only if the following environment variables are set: CURLOPT_PROXYTYPE set to type CURLPROXY_SOCKS5_HOSTNAME; or CURLOPT_PROXY or CURLOPT_PRE_PROXY set to scheme socks5h://. The library is also vulnerable if one of the proxy environment variables is set to use the socks5h:// scheme. The command-line tool is vulnerable only if it is executed with the -socks5-hostname flag, or with –proxy (-x) or –preproxy set to use the scheme socks5h://. It is also vulnerable if curl is executed with the affected environment variables.
“The set of pre-conditions needed in order for a machine to be vulnerable (see previous section) is more restrictive than initially believed. Therefore, we believe the vast majority of curl users won’t be affected by this vulnerability,” Mizrahi wrote in the analysis.
Scan the Environment for Vulnerable Systems
The first thing organizations need to do is to scope their environments to identify all systems using curl and libcurl to assess whether those preconditions exist. Organizations should inventory their systems and evaluate their software delivery processes using software composition analysis tools for code, scanning containers, and application security posture management utilities, notes Alex Ilgayev, head of security research at Cycode. Even though the vulnerability does not affect every implementation of curl, it would be easier to identify the impacted systems if the team starts with a list of potential locations to look.
The following commands identify which versions of curl are installed:
Linux/MacOS:
find / -name curl 2>/dev/null -exec echo “Found: {}” \; -exec {} –version \;
Windows:
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Filter curl.exe | ForEach-Object { Write-Host “Found: $($_.FullName)”; & $_.FullName –version }
GitHub has a query to run in Defender for Endpoint to identify all devices in the environment that have curl installed or use curl. Qualys has published its rules for using its platform.
Organizations using Docker containers or other container technologies should also scan the images for vulnerable versions. A sizable number of rebuilds are expected, particularly in docker images and similar entities that incorporate liburl copies. Docker has pulled together a list of instructions on assessing all images.
To find existing repositories:
docker scout repo enable –org /scout-demo
To analyze local container images:
docker scout policy [IMAGE] –org [ORG]
This issue highlights the importance of keeping meticulous track of all open source software being used in an organization, according to Henrik Plate, a security researcher at Endor Labs.
“Knowing about all the uses of curl and libcurl is the prerequisite for assessing the actual risk and taking remediation actions, be it patching curl, restricting access to affected systems from untrusted networks, or implementing other countermeasures,” Plate said.
Just because the flaws are not exploitable doesn’t mean the updates are not necessary. Patches are available directly for curl and libcurl, and many of the operating systems (Debian, Ubuntu, Red Hat, etc.) have also pushed fixed versions. Keep an eye out for security updates from other applications, as libcurl is a library used by many operating systems and applications.
One workaround until the updates can be deployed is to force curl to use local hostname resolving when connecting to a SOCKS5 proxy, according to JFrog’s Mizrahi. This syntax uses the socks5 scheme and not socks5h: curl -x socks5://someproxy.com. In the library, replace the environment variable CURLPROXY_SOCKS5_HOSTNAME with CURLPROXY_SOCKS5.
According to Benjamin Marr, a security engineer at Intruder, security teams should be monitoring curl flags for excessive large strings, as that would indicate the system had been compromised. The flags are –socks5-hostname, or –proxy or –preproxy set to use the scheme socks5h://.
CURL High Severity Vulnerability
https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Vulnerability%20Management/Curl-CVE-2023-38545.md
Curl 8.4.0 – Proactively Identifying Potential Vulnerable Assets
https://blog.qualys.com/vulnerabilities-threat-research/2023/10/05/curl-8-4-0-proactively-identifying-potential-vulnerable-assets
Tomi Engdahl says:
Viron ja Ruotsin välinen tietoliikennekaapeli on vaurioitunut https://www.is.fi/ulkomaat/art-2000009929539.html
Tomi Engdahl says:
Over 40,000 admin portal accounts use ‘admin’ as a password
https://www.bleepingcomputer.com/news/security/over-40-000-admin-portal-accounts-use-admin-as-a-password/?fbclid=IwAR1_gOdg_PvAvIeBLIMfDgqS6Qp1OWuLfECP5XfJwjOYPkh_caeo2WGEY90
Security researchers found that IT administrators are using tens of thousands of weak passwords to protect access to portals, leaving the door open to cyberattacks on enterprise networks.
Out of more than 1.8 million administrator credentials analyzed, over 40,000 entries were “admin,” showing that the default password is widely accepted by IT administrators.
Default and weak passwords
The authentication data was collected between January and September this year through Threat Compass, a threat intelligence solution from cybersecurity company Outpost24.
Outpost24 says that the authentication credentials come from information-stealing malware, which typically targets applications that store usernames and passwords.
Tomi Engdahl says:
Malicious Notepad++ Google ads evade detection for months
https://www.bleepingcomputer.com/news/security/malicious-notepad-plus-plus-google-ads-evade-detection-for-months/?traffic_source=Connatix
A new Google Search malvertizing campaign targets users looking to download the popular Notepad++ text editor, employing advanced techniques to evade detection and analysis.
Threat actors have been increasingly abusing Google Ads in malvertising campaigns to promote fake software websites that distribute malware.
According to Malwarebytes, which spotted the Notepad++ malvertising campaign, it has been live for several months but managed to fly under the radar all this time.
Tomi Engdahl says:
Update now! Atlassian Confluence vulnerability is being actively exploited https://www.malwarebytes.com/blog/news/2023/10/atlassian-confluence-zero-day
Microsoft Threat Intelligence has revealed that it has been tracking the active exploitation of a vulnerability in Atlassian Confluence software since September 14, 2023. At the time the attacks were first observed the vulnerability was a zero-day, meaning that no update was available, so defenders had “zero days” to patch the flaw.
The vulnerability has since been issued an ID, CVE-2023-22515, and rated with the highest possible severity, a CVSS score of ten. Atlassian’s October 4 advisory warns that “Publicly accessible Confluence Data Center and Server versions … are at critical risk and require immediate attention.”
If you are running Confluence Data Center or Confluence Server inside your organisation and it’s exposed to the public internet you should take steps to prevent exploitation, upgrade your software and look for evidence of compromise (take a look at the Atlassian advisory for detailed information about threat hunting).
Tomi Engdahl says:
Scammers with blue checkmarks on X
https://www.kaspersky.com/blog/beware-of-twitter-blue-fake-accounts/49199/
Since Elon Musk bought Twitter, there’s been such a constant stream of changes on the social platform that it’s been genuinely difficult to keep up — especially for those who don’t spend all their free time on Twitter. One significant change that looks likely it’s here to stay concerns X’s account verification system — the notorious blue checkmarks. So let’s investigate what has changed, what the unpleasant consequences are, and why you simply can’t trust blue badges anymore.
Tomi Engdahl says:
An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit https://googleprojectzero.blogspot.com/2023/10/an-analysis-of-an-in-the-wild-ios-safari-sandbox-escape.html
In April this year Google’s Threat Analysis Group, in collaboration with Amnesty International, discovered an in-the-wild iPhone zero-day exploit chain being used in targeted attacks delivered via malicious link. The chain was reported to Apple under a 7-day disclosure deadline and Apple released iOS
16.4.1 on April 7, 2023 fixing CVE-2023-28206 and CVE-2023-28205.
Over the last few years Apple has been hardening the Safari WebContent (or
“renderer”) process sandbox attack surface on iOS, recently removing the ability for the WebContent process to access GPU-related hardware directly.
Access to graphics-related drivers is now brokered via a GPU process which runs in a separate sandbox.
Analysis of this in-the-wild exploit chain reveals the first known case of attackers exploiting the Safari IPC layer to “hop” from WebContent to the GPU process, adding an extra link to the exploit chain (CVE-2023-32409).
Tomi Engdahl says:
Biggest DDoSes of all time generated by protocol 0-day in HTTP/2
https://arstechnica.com/?p=1975840
In August and September, threat actors unleashed the biggest distributed denial-of-service attacks in Internet history by exploiting a previously unknown vulnerability in a key technical protocol. Unlike other high-severity zero-days in recent years—Heartbleed or log4j, for example—which caused chaos from a torrent of indiscriminate exploits, the more recent attacks, dubbed
HTTP/2 Rapid Reset, were barely noticeable to all but a select few engineers.
Tomi Engdahl says:
Microsoft plans to kill off NTLM authentication in Windows 11 https://www.bleepingcomputer.com/news/security/microsoft-plans-to-kill-off-ntlm-authentication-in-windows-11/
Microsoft announced earlier this week that the NTLM authentication protocol will be killed off in Windows 11 in the future.
NTLM (short for New Technology LAN Manager) is a family of protocols used to authenticate remote users and provide session security.
Kerberos, another authentication protocol, has superseded NTLM and is now the current default auth protocol for domain-connected devices on all Windows versions above Windows 2000.
While it was the default protocol used in old Windows versions, NTLM is still used today, and if, for any reason, Kerberos fails, NTLM will be used instead.
Tomi Engdahl says:
Turun kaupungin tietoliikennettä häiritty jo päivien ajan – tietojenkalastelusta tehty rikosilmoitus https://yle.fi/a/74-20055170?origin=rss
Turun kaupunki on kärsinyt jo usean päivän ajan tietoliikennehäirinnästä.
Kaupungin tiedotteen mukaan kaupunkiin on kohdistunut erittäin aktiivinen tietojenkalastelukampanja, joka yrittää loukata tietoturvaa.
Tietojenkalasteluviestejä on lähtenyt @turku.fi ja @edu.turku.fi -osoitteista sekä organisaation sisälle että ulkopuolelle.
Tomi Engdahl says:
Microsoft: October Windows 10 security updates fail to install https://www.bleepingcomputer.com/news/microsoft/microsoft-october-windows-10-security-updates-fail-to-install/
Microsoft says Windows 10 security updates released during this month’s Patch Tuesday may fail to install with 0x8007000d errors, although initially displaying progress.
On systems affected by this known issue running client platforms (i.e., Windows 10 21H2 and Windows 10 22H2), the KB5031356 security update will fail to complete installation.
This confirms user reports surfacing since Tuesday, October 10, saying that downloading the update and trying to install it manually will also fail to deploy.