26-Oct-23: In Security News Today

Record-Breaking 100 Million RPS DDoS Attack Exploits HTTP/2 Rapid Reset Flaw

Cloudflare has reported mitigating thousands of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks that exploited the recently disclosed HTTP/2 Rapid Reset flaw, with 89 of these attacks exceeding 100 million requests per second (RPS). The total number of HTTP DDoS attack requests in Q3 2023 surged to 8.9 trillion, a significant increase from the previous quarter. The top industries targeted by these attacks include gaming, IT, cryptocurrency, computer software, and telecom, with the US, China, Brazil, Germany, and Indonesia being the biggest sources of application layer (L7) DDoS attacks.

ToddyCat Unveils New Tools for Data Exfiltration

The advanced persistent threat (APT) actor known as ToddyCat has developed a new set of malicious tools for data exfiltration, providing insight into their tactics and capabilities. The tools include loaders, a file collection tool, a Dropbox uploader, and a tool for exfiltrating archive files. ToddyCat has also been observed using custom scripts, a passive backdoor, Cobalt Strike, and compromised domain admin credentials for espionage activities.

New Admin Takeover Vulnerability Exposed in Synology’s DiskStation Manager

A medium-severity vulnerability has been discovered in Synology’s DiskStation Manager (DSM) that could allow an attacker to decipher an administrator’s password and remotely take over the account. The flaw is rooted in the use of a weak random number generator, specifically the JavaScript Math.random() method, to construct the admin password. Successful exploitation of the vulnerability requires the attacker to extract certain GUIDs and brute force the Math.Random state. Synology addressed the flaw in updates released in June 2023.

Microsoft to Phase Out NTLM in Favor of Kerberos for Stronger Authentication

Microsoft plans to eliminate NT LAN Manager (NTLM) in Windows 11 and focus on strengthening the Kerberos authentication protocol. New features for Windows 11 include Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos. NTLM has security weaknesses and is vulnerable to relay attacks, making it necessary for Microsoft to encourage the use of Kerberos instead.

Iranian Group Tortoiseshell Launches New Wave of IMAPLoader Malware Attacks

The Iranian threat actor known as Tortoiseshell has been attributed to a new wave of watering hole attacks using a malware called IMAPLoader. The malware, which acts as a downloader for further payloads, uses email as a command-and-control channel and can execute payloads extracted from email attachments. Tortoiseshell has a history of using strategic website compromises to distribute malware and is associated with the Islamic Revolutionary Guard Corps (IRGC).

White House to Issue AI Rules for Federal Employees

President Biden is expected to announce new rules requiring government agencies to assess AI tools for safety and data protection. The rules will also loosen immigration policies to allow more tech-savvy workers into the country. The executive order will elevate national cybersecurity defenses by requiring assessments of large language models (LLMs) before they can be used by government agencies.

Iran APT Targets the Mediterranean With Watering-Hole Attacks

A threat actor sponsored by the Islamic Republic of Iran, known as Yellow Liderc, is using watering-hole attacks to target organizations in the maritime, shipping, and logistics sectors in the Mediterranean. The group has been using a new malware downloader called IMAPLoader, which communicates with the attackers’ email addresses for command-and-control. Yellow Liderc employs various tactics and techniques, including reconnaissance emails and impersonating legitimate organizations, making it difficult to defend against.

Microsoft: 0ktapus Cyberattackers Evolve to ‘Most Dangerous’ Status

Microsoft has labeled the 0ktapus cyberattack collective as one of the most dangerous financial criminal groups, noting its growing sophistication. The English-speaking group, also known as Scatter Swine or UNC3944, engages in adversary-in-the-middle techniques, social engineering, and SIM swapping. They have recently been using unique techniques such as data exfiltration through Azure Data Factory and registering legitimate Microsoft 365 backup solutions for data exfiltration. Organizations need to actively prepare for the evolving threat posed by 0ktapus.

Critical Mirth Connect Vulnerability Could Expose Sensitive Healthcare Data

Cybersecurity firm Horizon3.ai has warned that Mirth Connect, an open source data integration platform used in healthcare organizations, is affected by a critical remote code execution vulnerability (CVE-2023-43208). The vulnerability can be exploited without authentication and could lead to the compromise of sensitive healthcare data. The patch for a previously disclosed vulnerability (CVE-2023-37679) can be bypassed, impacting all Mirth Connect installations. Users are advised to update to version 4.4.1 to mitigate the risk.

iLeakage: New Safari Exploit Impacts Apple iPhones and Macs with A and M-Series CPUs

A group of academics has discovered a new side-channel attack called iLeakage that targets Apple devices running on A- and M-series CPUs. This attack exploits a weakness in the Safari web browser, allowing attackers to extract sensitive information. The vulnerability affects all Apple devices released from 2020 that are powered by Apple’s A-series and M-series ARM processors.

StripedFly: Ultra-Sophisticated Malware Masking Itself as a Cryptominer

Kaspersky Lab experts have discovered a highly sophisticated malware campaign called StripedFly, which has affected over a million users worldwide since 2017. Initially thought to be a simple cryptominer, further analysis revealed that StripedFly is a multifunctional malware with various attack capabilities and modules. It can be used for APT attacks, cryptocurrency mining, or even extortion, and it spreads through the EternalBlue vulnerability in the Microsoft SMB protocol.

Discord: A Playground for Nation-State Hackers Targeting Critical Infrastructure

Nation-state hacking groups are leveraging the social platform Discord to target critical infrastructure. Discord’s content delivery network (CDN) is being used to host malware and facilitate data exfiltration. The abuse of Discord by threat actors introduces a new layer of complexity to the threat landscape, allowing them to establish long-term footholds within networks and put critical infrastructure at risk.

Microsoft Warns of Scattered Spider Expanding from SIM Swaps to Ransomware

Microsoft has warned of the activities of a threat actor known as Scattered Spider, which has been impersonating newly hired employees to breach organizations worldwide. The group, also known as Octo Tempest, is described as one of the most dangerous financial criminal groups due to its operational fluidity and use of SMS phishing, SIM swapping, and help desk fraud. Octo Tempest targets support and help desk personnel through social engineering attacks to gain access to privileged accounts, and has expanded its targeting to include various sectors and has become an affiliate for the BlackCat ransomware gang.

Sophisticated Spy Platform StripedFly Infects Over 1 Million Victims

Researchers from Kaspersky have discovered that the malware known as StripedFly, initially thought to be a cryptominer, is actually a sophisticated spy platform for both Windows and Linux systems. The malware allows attackers to achieve persistence on networks, exfiltrate credentials and other data, and communicate with command-and-control servers through a built-in Tor network tunnel. StripedFly has already infected over 1 million systems and has successfully evaded detection for six years.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.