Cyware Daily Threat Intelligence
Daily Threat Briefing • Oct 11, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Oct 11, 2023
In an unprecedented incident, an internet-wide zero-day bug in HTTP/2 has fueled the largest-ever DDoS attacks. The attack, dubbed Rapid Reset, exploited a bug in the HTTP/2 protocol that is used in about 60% of all web applications. It marks a new chapter in the evolution of DDoS threats. Meanwhile, Microsoft patched a couple of actively exploited zero-day vulnerabilities in Skype for Business and WordPad applications. While the Skype bug could be abused to view sensitive information in a way that exposes internal network details, the other bug could lead to information disclosure, such as NTLM hashes.
A fresh attack event has occurred in the semiconductor supplier space wherein threat actors leveraged a critical vulnerability to deploy Mythic’s Athena Agent, granting them full control over compromised systems. Experts noted traction for the exploit within the dark web community soon after the incident.
PLAY ransomware group claims 7 new victims
The PLAY ransomware group has claimed seven new victims: Hughes Gill Cochrane Tinetti, Saltire Energy, Centek Industries, NachtExpress Austria, WCM Europe, Starr Finley, and an unknown entity. These organizations, located in various parts of the world, appear to have no apparent connection, highlighting the indiscriminate nature of the attacks. PLAY ransomware is known for employing a dual-extortion approach, first extracting victim network data before encrypting it.
Manufacturing tech provider hit by cyberattack
Volex, one of the world's largest manufacturing technology providers for data and power transmission cables, suffered a cyberattack that impacted its IT systems across multiple international sites. Volex promptly initiated its IT security protocols and engaged third-party experts to investigate and address the incident. The company assured that its sites remained operational, with minimal disruption to production.
Athena Agent dropped on semiconductor firm
Researchers from Cyble uncovered a targeted spear-phishing attack on a prominent Russian semiconductor supplier. The malicious payload used was Athena Agent of the Mythic C2 framework, designed to grant complete control over compromised systems. The campaign used a deceptive email claiming to be from the Ministry of Industry and Trade of Russia and delivered the payload through an archive file exploiting a critical RCE vulnerability, CVE-2023-38831, in WinRAR.
Advisory against AvosLocker variant
The FBI and the CISA issued a joint advisory to disseminate known IOCs and TTPs related to the AvosLocker ransomware. AvosLocker operates under the RaaS model and has been used by cybercriminal affiliates to compromise organizations across multiple critical infrastructure sectors in the U.S. The advisory provides insights into how these attacks occur and highlights the need for vigilance and strong cybersecurity measures to protect against ransomware attacks. This advisory updates a previous one from March 2022 and includes new IOCs and TTPs.
Microsoft addresses 103 flaws, including two zero-days
Microsoft has released its October 2023 Patch Tuesday updates, addressing a total of 103 vulnerabilities in its software. Among these, 13 are rated critical, and 90 are rated important in severity. The update also included two zero-day vulnerabilities that have been actively exploited. The first one affected Microsoft WordPad and could lead to information disclosure, including the leak of NTLM hashes. The other zero-day pertains to Skype for Business and could allow attackers to gain access to internal networks.
Storm-0062 exploits Atlassian security issue
According to Microsoft, a recently disclosed critical privilege escalation vulnerability in Atlassian Confluence Data Center and Server is being actively exploited by a nation-state actor tracked as Storm-0062. The vulnerability, CVE-2023-22515, allows remote attackers to create unauthorized Confluence administrator accounts and access Confluence servers. Atlassian is aware of the exploitation and has released fixes in versions 8.3.3 or later, 8.4.3 or later, and 8.5.2 (Long Term Support release) or later.
Flawed HTTP/2 protocol leads to DDoS attacks
Threat actors have been exploiting a zero-day vulnerability in the HTTP/2 protocol since August to launch the largest DDoS attacks ever seen. Google, Cloudflare, and Amazon Web Services dubbed these as "Rapid Reset" attacks that were caused by the vulnerability tracked as CVE-2023-44487. Google noted that malicious actors were able to reach a peak of 398 million rps in their attacks, far surpassing the previous largest attack at 46 million rps. Patches are yet to be released, but a mitigation strategy recommended by OpenSSF involves closing TCP connections with high create/RST_FRAME ratios.
SAP fixes dozens of bugs
SAP released several security notes as part of its October 2023 Security Patch Day. The most severe note addressed 37 vulnerabilities, including two critical and 20 high-severity issues in the Chromium browser in SAP Business Client. One of the critical flaws was CVE-2023-4863, which has already been exploited and affects the libwebp image rendering library. The update also addressed CVE-2023-5217, another exploited vulnerability. A separate security note addressed a log injection flaw in NetWeaver (CVE-2023-31405), and customers need to implement both the initial patch and the update to be fully protected.
Adobe issues security updates for multiple products
Adobe has released security patches addressing 13 vulnerabilities in Adobe Commerce and Photoshop. In the case of Adobe Commerce, successful exploitation of the flaws could lead to arbitrary code execution, privilege escalation, arbitrary file system read, security feature bypass, and application denial-of-service. The affected versions include Adobe Commerce and Magento Open Source versions 2.4.7-beta1 and earlier. Additionally, Adobe Photoshop was found to have a critical-severity flaw (CVE-2023-26370) that could be exploited for code execution attacks on Windows and macOS systems. Adobe has not detected any active exploits for these vulnerabilities.
Google patches security holes in Chrome 118
Google has released Chrome version 118 to the stable channel, addressing 20 vulnerabilities. The most severe of these was CVE-2023-5218, a critical use-after-free bug in Site Isolation, a Chrome security component designed to prevent sites from stealing data from other sites. While Google did not disclose specific details, this type of vulnerability can lead to sandbox escape and arbitrary code execution. The release also includes fixes for eight medium-severity vulnerabilities and five low-severity issues.