2023.10.17.News You Should Know

CDW investigating ransomware gang claims of data theft (therecord.media) - #Ransomware #ThreatActor - CDW acknowledges breach of a subsidiary of a division of a business area. Threat actors miffed over $1m offer after $80m demand.

HTTP/2 ‘Rapid Reset’ zero-day exploited in biggest DDoS yet • The Register - #Research #ThreatActor - Largest ever DDoS…from smallest ever botnet? 20k bots (multitudes smaller than previous botnets) were able to abuse HTTP/2 streaming to request hundreds of assets from a server over a single TCP stream (a feature of HTTP/2) then cancel those request midstream and request a hundred assets again. Which doesn’t count toward the max request limit. The only theoretical limit to this attack is target bandwidth.

US Navy sailor admits to selling military secrets to China • The Register - #politics #InsiderThreat - Navy sailor admits to selling information to Chinese handler, for $14.8k. This comes after another Chinese American Navy sailor was arrested in San Diego and a US Army Sergeant was arrested sending his chinese handlers a totally not suspicious document “Important Information to Share with Chinese Government”

35 Squid proxy bugs still unpatched after 2 years • The Register - #VMDR - Squid proxy accused of years old bugs. Researcher claims he disclosed 55 bugs to Squid in 2001, 20 have been fixed. The other 35 have been released on his GitHub with detailed information and POCs. No patched version currently available for upgrade. Over 2.5m Squid installs are currently active on the internet.

Rogers says he found all of the flaws in Squid-5.0.5 and performed testing in “nearly every component possible: forward proxying, reverse proxying, all protocols supports (http, https, https intercept, urn, whois, gopher, ftp), responses, requests, ‘helpers,’ DNS, ICAP, ESI, and caching. Every conceivable possible user and build configuration was used.”

SEC is investigating MOVEit mass-hack, says Progress Software | TechCrunch - #SEC #BusinessContinuity - SEC investigating MOVEit hacks. Progress claims minimal financial impact ($1m in SEC filings). Progress faces at least 23 suits from affected customers and 58 class action law suits, with 64m users affected.

This comes days after the disclosure of the WS_FTP software vulnerability also from Progress.

Signal says there is no evidence rumored zero-day bug is real (bleepingcomputer.com) - Multiple groups claimed zero-day security piece in Signal messenger. No real disclosures have been done, the Signal project and others publicly state they are unaware of any issues and appeal to users to reach out to security[@] signal.org

Fake ‘RedAlert’ rocket alert app for Israel installs Android spyware (bleepingcomputer.com) - #ThreatActor #Politics - Red Alert, rocket attack notification app being distributed outside the Google Play store with malicious APKs. Cloudflare found that the application requests additional permissions from the victims, including access to the user’s contacts, numbers, SMS content, list of installed software, call logs, phone IMEI, logged-in email and app accounts, and more.

Russian Sandworm hackers breached 11 Ukrainian telcos since May (bleepingcomputer.com) - #ThreatActor #Politics #Russia - Everyone’s favorite Russian Threat Actor is back, this time targeting Ukrainian telecom companies

Thousands of Cisco IOS XE devices hacked in widespread attacks (bleepingcomputer.com) - #VMDR #ThreatActor - VulnCheck helped identify thousands of already exploited Cisco IOS XE devices with malicious implants. This CVE (also a 10/10) abuses the WebUI for management that may be exposed to the internet. VulnCheck has released a tool to help users identified infected machines. GitHub

Microsoft to kill off VBScript in Windows to block malware delivery (bleepingcomputer.com) - #ThreatActor - After deprecating Internet Explorer, Microsoft is moving VBScript support to an “optional add-on” like HyperV, or WSL. Moving forward Windows systems will not support VBS by default. The add-on will persist until an undisclosed EOL date.

Mirai DDoS malware variant expands targets with 13 router exploits (bleepingcomputer.com) - #BotNet #ThreatActor - D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link Archer, Korenix, TOTOLINK, and possibly ProLINK. After infecting devices, clears logs, and writes iptables rules to prevent users access admin interfaces. Comes with hardcoded credentials to effect downstream devices including UNIFI and others without working exploits available.

LinkedIn Smart Links attacks return to target Microsoft accounts (bleepingcomputer.com) - #ThreatActor #Espionage - LinkedIn link forwarding service replaces malicious email with a LinkedIn[.]com/{8CharacterShortCode} allowing it to bypass most email security softwares as legitimate links. Threat actors abuse this to increase click count and infection rates.

Apple fixes iOS Kernel zero-day vulnerability on older iPhones (bleepingcomputer.com) - #Vmdr #CVE - What would a Show & Tell be without another Apple ZeroDay? (CVE-2023-41993) Here’s this weeks, a 9.8/10 used by threat actors and spyware distributors to Record screens, read texts, activate microphones and cameras, etc. etc… Just patch everything Apple…again. And don’t stop. Ever.