Daily Brief

Microsoft has released more than 100 security updates, fixing flaws in several products, some of which are currently under active attack. Two active bugs include an information disclosure bug in Microsoft WordPad that could be exploited to steal NTLM hashes and a privilege escalation vulnerability in Skype for Business. These bugs are known and currently being exploited. A significant HTTP/2 protocol vulnerability, known as Rapid Reset, has been utilized since August for launching massive distributed denial of service (DDoS) attacks. Major tech companies like Microsoft, Amazon, Google, and Cloudflare have now released mitigations for these attacks. Out of the new patches, 13 address critical-rated bugs that could lead to remote code execution (RCE) and DDoS attacks. The highest-rated bug, CVE-2023-35349, scored a 9.8 out of 10 on the CVSS severity scale, and allows for RCE without user interaction. Users have been advised to block TCP port 1801 at their perimeter. Other important bugs include a Microsoft Exchange Server RCE that earned an 8.0 CVSS rating, a Windows IIS Server Elevation of Privilege with a 9.8 CVSS score, and an important bug in maintaining Exchange Server in-house. Citrix also released patches for two flaws in its NetScaler appliances. One flaw rated 9.4 and allows for sensitive information disclosure without user interaction or privileges. The other flaw is a denial-of-service bug that earned an 8.2 CVSS rating.

The Federal prosecution team has presented Python code, allegedly used to manipulate accounts on cryptocurrency exchange FTX, to the jury at the trial of the exchange's former head, Sam Bankman-Fried. Accounts linked to Alameda Research, the hedge fund controlled by Bankman-Fried, are accused of using billions of the customer deposits in FTX as a slush fund, facilitated by altering the Python code-based backend of the platform. This comes in stark contrast to Bankman-Fried's past statements claiming that Alameda and its affiliated accounts were treated just like any other customers on the platform. SBF is now accused of using customer deposit funds to sustain both his lavish lifestyle and to cover the losses incurred by Alameda Research. FTX declared bankruptcy in November 2021. Prosecution has also accused Bankman-Fried of embezzling around $10 billion of customer deposits from FTX, based on the testimony of FTX’s former CEO and Bankman-Fried's ex-partner, Caroline Ellison. Bankman-Fried, facing multiple trials, has been charged with fraud, money laundering, and campaign finance offences, but has plead not guilty on all charges.

A record-breaking DDoS (Distributed Denial-of-Service) attack, featuring over 398 million requests per second, deployed a zero-day vulnerability in the HTTP/2 protocol. This attack was more than five times larger than the previous record. Google, Cloudflare, and AWS discovered and announced the flaw known as CVE-2023-44487 or Rapid Reset. These companies had noticed unusually large application-layer (layer 7) attacks for months, peaking in August. The exploit involves attackers using a smaller-than-usual network of criminal-controlled bots. Despite the reduced size of the botnet, approximately 20k machines, the volume of requests generated was substantial enough to jeopardize almost any server or application supporting HTTP/2. The exploit leverages stream multiplexing in the HTTP/2 protocol, enabling multiple HTTP requests to be sent to a server on a single TCP connection. Attackers can overwhelm a server by repeatedly sending requests and swiftly cancelling them, which diverts server resources to start and stop an excessive number of requests. Variants of the attack approach have been discovered but offer lower efficacy than the original Rapid Reset attack method. Google, Cloudflare, and Amazon have issued mitigations and implemented new technologies to protect against these attacks in the future, with solutions available for all customers. They recommend tracking connection statistics, limiting stream creation, and closing connections that breach the concurrent stream limit.

A variant of the Mirai-based DDoS (distributed denial of service) malware botnet known as IZ1H9 has added 13 new payloads to increase its target range. It primarily targets Linux-based routers and certain router models from companies like D-Link, Zyxel, TP-Link, and TOTOLINK. IZ1H9 compromises devices, assimilates them into its DDoS swarm, and then uses these devices to launch DDoS attacks on specified targets. IoT (Internet of Things) devices are believed to be a significant target group for this botnet. Peak exploitation rates for IZ1H9 were recorded in early September, with tens of thousands of attempts on vulnerable devices. Upon breaching a device, it injects an IZ1H9 payload which later fetches a shell script downloader called "l.sh." This allows the attacker to modify device configurations and create obstructions to aid in malware retention within the device. IZ1H9 also reportedly has a data section with hardcoded credentials that it uses for brute-force attacks. This enhances its capacity for propagation to adjacent devices or access to IoT devices for which it lacks a working exploit. To minimize the risk of becoming victim to such an attack, IoT device owners are advised to use strong admin user credentials, regularly update their firmware, and limit the devices' exposure to the public internet.

Microsoft's Exchange Team has encouraged administrators to deploy a new, more effective patch for a critical security flaw in its Exchange Server software. The vulnerability, designated as CVE-2023-21709, was first addressed in August 2023. It allowed attackers to gain increased privileges on unpatched servers through brute force password attacks without any user interaction. Although security updates were provided by Microsoft, admins were also required to manually remove the vulnerable Windows IIS Token Cache module or use a PowerShell script to fully protect their servers from CVE-2023-21709 exploits. In the latest security update (CVE-2023-36434), a new solution has been provided that fully resolves the initial flaw, without requiring additional action. The company is now asking administrators to reinstall the Windows IIS Token Cache module on their servers. Microsoft has indicated that updates are being made to all relevant documentation and scripts, and changes are being made to the Health Checker tool to reflect the new recommendations. Microsoft also refused to issue a fix for an identified Skype for Business Elevation of Privilege Vulnerability until the recent Patch Tuesday, despite the fact that it was disclosed in September 2022 and has been actively exploited.

The infamous Mirai botnet is displaying increased activity with a significantly updated arsenal of exploits, making it the first major update to the IZ1H9 Mirai variant in months. Researchers at FortiGuard Labs reported that the campaign revealed a capacity to infect devices and rapidly expand its botnet by swiftly using recently released exploit code, with overall activity peaking in September. The escalated Mirai activity was rated as "critical" in severity by FortiGuard Labs due to the scale of break-in attempts and the potential for remote control of Linux-based devices. Mirai now has the ability to exploit four different D-Link vulnerabilities, dating between 2015 and 2021, indicating a threat even to devices that should have been patched by now considering the age of these vulnerabilities. Furthermore, eleven vulnerabilities from 2021 have been added, which enables Mirai to exploit Sunhillo SureLine software, Geutebruck's video management products, and Yealink Device Management systems. Mirai currently remains a significant threat in the cybercrime space, despite having failed to replicate its headline-grabbing DDoS attack of 2016, as it continues to target and exploit Linux-based enterprise IoT devices.

Microsoft has released its October 2023 Patch Tuesday, resolving 104 flaws which include three zero-day vulnerabilities that were actively exploited. Despite 45 remote code execution (RCE) bugs being addressed, only 12 vulnerabilities classified as "critical" were rectified, all of which were RCE flaws. These updates do not include one Chromium bug that was tracked as CVE-2023-5346 and fixed by Google on 3rd October that applied to Microsoft Edge. Microsoft has tackled a Skype for Business vulnerability classified as an Elevation of Privileges bug. The flaw could expose sensitive information but the attacker cannot exploit this to make changes or limit access to resources. A second vulnerability in Microsoft's WordPad which would allow an attacker to steal NTLM hashes when opening a document was also addressed. A new zero-day DDoS attack technique called 'HTTP/2 Rapid Reset', which had been actively exploited since August, was mitigated. Instructions on disabling the HTTP/2 protocol on your server were provided. The disclosure of the HTTP/2 Rapid Reset flaw was jointly made by Microsoft, Cloudflare, Amazon, and Google. Other vendors also released updates or advisories in October 2023.

Spanish airline Air Europa has suffered a data breach, exposing customer's credit card details including card numbers, expiry dates and CVV codes. The company has urged impacted customers to cancel their cards to prevent potential fraudulent use. The company has not yet disclosed the number of affected customers or detailed when the breach occurred and was detected. A representative was not available for comment. The airline alerted relevant authorities and entities (AEPD, INCIBE, banks etc.) and assured customers that systems have been secured. Customers are being warned not to provide personal or card PIN details to anyone contacting them via phone or email, and not to click any links in emails or messages warning of fraudulent operations concerning their cards. This is not the first data breach for Air Europa; in March 2021, the company was fined €600,000 by Spain's DPA for infringing GDPR regulations and for late notification of a breach that affected around 489,000 individuals. In that breach, the stolen credit card data of approximately 4,000 customers was used fraudulently.

Microsoft has announced plans to phase out VBScript, a programming language that has been directly linked to malware distribution, from future versions of Windows. VBScript has been in use for about 30 years and has known applications in facilitating active scripting in Windows environments. Until it is totally removed, VBScript will be available as an on-demand feature to support uninterrupted use as users plan for a future without VBScript. The deprecation of VBScript is highly likely connected to the earlier discontinuation of Internet Explorer, rendering a common malware distribution vector ineffective. Threat actors have been known to use VBScript, notably in distributing Lokibot, Emotet, Qbot and DarkGate malware strains. Microsoft has been working on strategies to curtail malware distribution via Windows and Office, tracing back to AMSI support extension to Office 365 applications in 2018. Other efforts include disabling Excel 4.0 macros, introducing XLM macro protection, default blocking of VBA Office macros and blocking untrusted XLL add-ins.

Microsoft plans to deprecate VBScript, an old programming language that has been used as a malware infection vector. The company will make VBScript a 'feature on demand' in Windows before removing it entirely from the OS to allow for a smooth transition. This decision aligns with Microsoft's previous move to discontinue Internet Explorer, which bundled VBScript. The deprecation of VBScript also removes a common infection pathway used by cybercriminals to spread malware such as Lokibot, Emotet, Qbot, and DarkGate. Microsoft's step towards phasing out VBScript is part of a larger strategy to counteract the rise of malware campaigns exploiting Windows and Office features. Previously, Microsoft had extended support for AMSI to Office 365 applications, disabled Excel 4.0 macros, mandated the blocking of VBA Office macros, and began blocking untrusted XLL add-ins by default.

Researchers recently discovered a high-severity remote code execution (RCE) vulnerability in the libcue library, a component of GNOME-based Linux distros such as Ubuntu, Fedora, and Debian. Tracked as CVE-2023-43641, the vulnerability allows for a one-click attack facilitating RCE when a file is downloaded and stored in a directory frequently scanned by the tracker-miners application, which uses libcue. The tracker-miners application is a crucial component of GNOME-based Linux distros as it indexes files in a user directory, enabling them to show up in search results. The vulnerability can be exploited as soon as a user downloads a malicious .cue file. The bug, a memory corruption flaw, has been given a provisional severity rating of 8.8 by GitHub. Full proofs of concept have not been published yet to allow users to install the patch. The researcher unintentionally discovered a previously unknown sandbox escape while devising the exploit for the RCE vulnerability. This additional bug has already been patched. The vulnerability potentially affects most major distros with broad implications given the global use of these systems, stressing the importance of immediate patch application once available.

A critical severity flaw impacting Citrix NetScaler ADC and NetScaler Gateway could allow the disclosure of sensitive information from vulnerable appliances. The flaw, tracked as CVE-2023-4966, has a CVSS rating of 9.4 and is remotely exploitable without requiring high privileges or user interaction. A second disclosed vulnerability, CVE-2023-4967, is a high-severity flaw that can cause denial of service on vulnerable devices. The affected appliances must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server to be susceptible to attacks. Citrix recommends upgrading to fixed versions implementing the security updates for the mentioned flaws, without providing any mitigation tips or workarounds. Critical-severity flaws in Citrix products are sought-after by hackers due to the large organizations with valuable assets that use these devices. In July 2023, a critical remote code execution flaw Citrix fixed as a zero-day was exploited by cybercriminals for planting backdoors and stealing credentials.

Amazon Web Services (AWS), Cloudflare, and Google detected and mitigated record-breaking Distributed Denial-of-Service (DDoS) attacks in late August 2023, exploiting a novel vulnerability called HTTP/2 Rapid Reset. The HTTP/2 Rapid Reset is a zero-day flaw in the HTTP/2 protocol, exploited to conduct the DDoos attacks. Attacks targeting Google's cloud infrastructure hit 398 million requests per second (RPS), while AWS and Cloudflare experienced volumes of 155 million and 201 million RPS, respectively. The Rapid Reset attack uses the multiplexing request method of HTTP/2 to cancel requests in quick succession, thereby overloading the server without reaching its configured threshold. The zero-day flaw enabled threat actors to overwhelm targeted websites using just 20,000 machines, as observed by Cloudflare. The vulnerability, tracked as CVE-2023-44487, affects 35.6% of the websites using HTTP/2, which carries a significant volume of total web traffic. Companies urged organizations to take proactive measures for protection against such attacks, with AWS' Mark Ryland emphasizing the increasing awareness of the vulnerability among threat actors, potentially making it trivial to exploit.

A new version of curl, an Internet transfer engine, is set to release on October 11 to address two high severity security flaws: CVE-2023-38545, affecting both libcurl and the curl tool, and CVE-2023-38546, affecting only libcurl. The new release, Curl 8.4.0, is expected to slot in without causing much trouble as it does not involve any API or ABI changes. The curl is a backbone tool of the internet and it is claimed to be used by almost every Internet user globally. Ax Sharma, a security researcher at Sonatype, clarified that the vulnerability is not as severe as the Log4j issue. However, he further warned to look out for docker base images that are not receiving updates and which might have an application using the vulnerable libcurl. Sharma urged to avoid panic but to install the patched packages as soon as they are available and to remember to keep operating systems within containers updated.

A new DDoS technique called 'HTTP/2 Rapid Reset' has been exploited since August 2023, setting a new magnitude record for such attacks; Amazon Web Services, Cloudflare, and Google have been discussing this development in a coordinated response. The sheer size of these attacks is alarming, with Cloudflare reporting mitigation of attacks reaching 201 million requests per second (rps), a figure three times greater than its previous record of 71 million rps recorded earlier this year. The new technique exploits a zero-day vulnerability (CVE-2023-44487) in the HTTP/2 protocol, abusing the 'stream cancellation' feature to overwhelm targeted servers/applications with a flood of requests and rapid resets. Cloudflare has countered this onslaught leveraging its 'IP Jail' system, designed to handle hyper-volumetric attacks; AWS mitigated these attacks, assuring the availability of their customer services was maintained. Cloudflare, AWS, and Google recommend the use of all available HTTP-flood protection tools and multifaceted mitigation strategies to build resilience against 'HTTP/2 Rapid Reset' attacks. The details surrounding the zero-day vulnerability have been kept confidential to allow security vendors and stakeholders ample time to develop countermeasures before the details became public knowledge.