Skip to main content

2023.10.17.News You Should Know

CDW investigating ransomware gang claims of data theft ( - #Ransomware #ThreatActor - CDW acknowledges breach of a subsidiary of a division of a business area. Threat actors miffed over $1m offer after $80m demand.

HTTP/2 ‘Rapid Reset’ zero-day exploited in biggest DDoS yet • The Register - #Research #ThreatActor - Largest ever DDoS…from smallest ever botnet? 20k bots (multitudes smaller than previous botnets) were able to abuse HTTP/2 streaming to request hundreds of assets from a server over a single TCP stream (a feature of HTTP/2) then cancel those request midstream and request a hundred assets again. Which doesn’t count toward the max request limit. The only theoretical limit to this attack is target bandwidth.

US Navy sailor admits to selling military secrets to China • The Register - #politics #InsiderThreat - Navy sailor admits to selling information to Chinese handler, for $14.8k. This comes after another Chinese American Navy sailor was arrested in San Diego and a US Army Sergeant was arrested sending his chinese handlers a totally not suspicious document “Important Information to Share with Chinese Government”

35 Squid proxy bugs still unpatched after 2 years • The Register - #VMDR - Squid proxy accused of years old bugs. Researcher claims he disclosed 55 bugs to Squid in 2001, 20 have been fixed. The other 35 have been released on his GitHub with detailed information and POCs. No patched version currently available for upgrade. Over 2.5m Squid installs are currently active on the internet.

Rogers says he found all of the flaws in Squid-5.0.5 and performed testing in “nearly every component possible: forward proxying, reverse proxying, all protocols supports (http, https, https intercept, urn, whois, gopher, ftp), responses, requests, ‘helpers,’ DNS, ICAP, ESI, and caching. Every conceivable possible user and build configuration was used.”

SEC is investigating MOVEit mass-hack, says Progress Software | TechCrunch - #SEC #BusinessContinuity - SEC investigating MOVEit hacks. Progress claims minimal financial impact ($1m in SEC filings). Progress faces at least 23 suits from affected customers and 58 class action law suits, with 64m users affected.
This comes days after the disclosure of the WS_FTP software vulnerability also from Progress.

Signal says there is no evidence rumored zero-day bug is real ( - Multiple groups claimed zero-day security piece in Signal messenger. No real disclosures have been done, the Signal project and others publicly state they are unaware of any issues and appeal to users to reach out to security[@]

Fake ‘RedAlert’ rocket alert app for Israel installs Android spyware ( - #ThreatActor #Politics - Red Alert, rocket attack notification app being distributed outside the Google Play store with malicious APKs. Cloudflare found that the application requests additional permissions from the victims, including access to the user’s contacts, numbers, SMS content, list of installed software, call logs, phone IMEI, logged-in email and app accounts, and more.

Russian Sandworm hackers breached 11 Ukrainian telcos since May ( - #ThreatActor #Politics #Russia - Everyone’s favorite Russian Threat Actor is back, this time targeting Ukrainian telecom companies

Thousands of Cisco IOS XE devices hacked in widespread attacks ( - #VMDR #ThreatActor - VulnCheck helped identify thousands of already exploited Cisco IOS XE devices with malicious implants. This CVE (also a 10/10) abuses the WebUI for management that may be exposed to the internet. VulnCheck has released a tool to help users identified infected machines. GitHub

Microsoft to kill off VBScript in Windows to block malware delivery ( - #ThreatActor - After deprecating Internet Explorer, Microsoft is moving VBScript support to an “optional add-on” like HyperV, or WSL. Moving forward Windows systems will not support VBS by default. The add-on will persist until an undisclosed EOL date.

Mirai DDoS malware variant expands targets with 13 router exploits ( - #BotNet #ThreatActor - D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link Archer, Korenix, TOTOLINK, and possibly ProLINK. After infecting devices, clears logs, and writes iptables rules to prevent users access admin interfaces. Comes with hardcoded credentials to effect downstream devices including UNIFI and others without working exploits available.

LinkedIn Smart Links attacks return to target Microsoft accounts ( - #ThreatActor #Espionage - LinkedIn link forwarding service replaces malicious email with a LinkedIn[.]com/{8CharacterShortCode} allowing it to bypass most email security softwares as legitimate links. Threat actors abuse this to increase click count and infection rates.

Apple fixes iOS Kernel zero-day vulnerability on older iPhones ( - #Vmdr #CVE - What would a Show & Tell be without another Apple ZeroDay? (CVE-2023-41993) Here’s this weeks, a 9.8/10 used by threat actors and spyware distributors to Record screens, read texts, activate microphones and cameras, etc. etc… Just patch everything Apple…again. And don’t stop. Ever.

Popular posts from this blog

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms. A similar CVE ( 2023-5217 ) is pending analysis for the VP8 webstream video format (a sister library to libwep.) As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications. Patch Browsers, All of them All major and minor browsers acr

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.