Canary Trap’s Bi-Weekly Cyber Roundup – Oct. 13, 2023.

Welcome to our inaugural edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. In this ever-evolving landscape of cybersecurity, staying informed is not just a choice, but a necessity. Our mission is to keep you up-to-date with the most critical developments in the digital defense realm, and this bi-weekly publication is your gateway to the latest news.

In this edition of the roundup, we’ll dive into an array of headlines that underscore the dynamic nature of cybersecurity, as we aim to equip you with the knowledge and insights necessary to navigate this ever-changing landscape.

• Largest-Ever DDoS Leverages Zero-Day Vulnerability

A coalition of technology giants including Google, Cloudflare, and Amazon AWS recently disclosed the largest Distributed Denial of Service (DDoS) attack ever recorded. This attack peaked at 398 million requests per second (RPS), which is substantially higher than previous records—eight times larger than Google’s previous high of 46 million RPS, and vastly exceeding Cloudflare’s previous record of 71 million RPS.

The attack exploited a zero-day vulnerability known as “HTTP/2 Rapid Reset,” impacting the HTTP/2 protocol used in about 60% of browser traffic. The flaw allows attackers to flood systems with an enormous volume of requests in a very short time. To put the scale into perspective, the two-minute attack generated more requests than Wikipedia received for article views during the entire month of September 2023.

The attacks began in August and have specifically targeted major infrastructure providers like Google Cloud, Cloudflare, and Amazon Web Services. Cloudflare has since noted over 180 instances where their previous DDoS record was broken, along with over 1,000 instances where attacks exceeded 10 million RPS, all leveraging the Rapid Reset vulnerability. The vulnerability identifier for this flaw is CVE-2023-44487.

Interestingly, the attack was highly efficient, utilizing only 20,000 botnets, much fewer than the typical number of infected machines used in DDoS attacks. Alex Forster, the tech lead for DDoS mitigation at Cloudflare, emphasized that organizations should act quickly to patch this vulnerability, as it’s only a matter of time before other malicious actors begin to exploit it.

Damian Menscher, a security reliability engineer focusing on DDoS at Google, mentioned that despite the expectation of increasingly larger and more complex DDoS attacks, this recent attack was unexpected in its scale and sophistication.

This record-breaking DDoS attack reveals a new level of threat by exploiting a fundamental vulnerability in HTTP/2. The attack targeted major cloud and service providers and has set off a race to patch systems before further exploitation occurs. Organizations are advised to take immediate proactive measures for protection against such large-scale attacks.

• NSA and CISA Share Top Ten Cybersecurity Misconfigurations

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an advisory detailing the top ten most common cybersecurity misconfigurations found in the networks of large organizations. These misconfigurations are often exploited by threat actors for various malicious activities, including unauthorized access, lateral movement within networks, and targeting sensitive data.

The key findings come from assessments conducted by the agencies’ Red and Blue teams across diverse sectors, including the Department of Defense, federal and local governments, and the private sector. Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, emphasized that these common vulnerabilities put all Americans at risk.

The top 10 most common network misconfigurations identified are:

1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution

Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, urged software manufacturers to adopt secure-by-design principles, which include integrating security controls at each stage of the software development lifecycle. He also stressed the importance of eliminating default passwords and making MFA a default feature rather than an optional one. Manufacturers should also take steps to eliminate entire categories of vulnerabilities by using measures such as memory-safe coding languages and parameterized queries.

For mitigating the risk of these misconfigurations, the agencies recommend:

• Eliminating default credentials and hardening configurations
• Deactivating unused services and implementing stringent access controls
• Regularly updating and automating the patching process, with priority given to known, exploited vulnerabilities
• Restricting, auditing, and monitoring administrative accounts and privileges

Additionally, NSA and CISA advise organizations to regularly test and validate their security programs against threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. They also suggest evaluating existing security controls against the ATT&CK techniques described in the advisory.

• 23andMe Data Stolen in Targeted Attack

23andMe, a DNA testing company, is investigating the potential theft of a large volume of customer data that was allegedly offered for sale on a cybercrime forum. The incident came to light after a post appeared on the forum on a Sunday, claiming to offer “the most valuable data you’ll ever see” with a sample that supposedly included “20 million pieces of data” originating from 23andMe.

Following this event, 23andMe released a statement stating that they were aware that “certain 23andMe customer profile information was compiled through unauthorized access to individual 23andMe.com accounts.” Importantly, the company noted that there is no current evidence to suggest that their internal systems experienced a data security breach.

The preliminary investigation indicates that the attacker may have used login credentials leaked from other platforms to gain access to 23andMe accounts where customers had reused their username and password. For accounts enrolled in 23andMe’s “DNA Relatives” service, the attacker managed to scrape a variety of data, such as users’ display name, profile photo, birth year, location, predicted relationships, percentage of DNA match, number of shared genetic segments, and some genetic ancestry information.

The exact magnitude and authenticity of the data being offered for sale remain unverified. After the data was initially listed on Sunday, the offer was subsequently removed, only to reappear on Wednesday with additional details, including options to buy the data in varying batch sizes. The seller claimed to possess 13 million profiles but did not offer any specifics about the methods of data acquisition or any interactions with 23andMe.

This situation underlines the critical importance of cybersecurity measures not just within a company’s internal systems but also concerning the security hygiene of its user base, especially given the sensitive nature of the data involved. The incident is still under investigation, and the scope and impact are yet to be fully understood.

• MGM Resorts Ransomware Attack Costs $110 Million

MGM Resorts, a hospitality and entertainment company, was hit by a ransomware attack in September, affecting its hotel reservation systems in the United States as well as other IT systems running its casino floors. The attack has cost the company over $110 million, with $10 million paid to third-party experts for system clean-up. An affiliate of the BlackCat/ALPHV ransomware group, known as Scattered Spider, claimed responsibility for the attack.

MGM Resorts believes that the attack will negatively impact its third-quarter results for 2023, mainly affecting its Las Vegas operations. However, they expect minimal impact during the fourth quarter and do not foresee a material effect on the overall financial condition for the year. The company filed an 8-K report with the SEC, stating an estimated negative impact of approximately $100 million to the Adjusted Property EBITDAR for both its Las Vegas Strip Resorts and Regional Operations. Additionally, MGM incurred less than $10 million in one-time expenses for the quarter, which included technology consulting services, legal fees, and other third-party advisory expenses.

MGM Resorts has cybersecurity insurance that will cover the financial losses and future expenses, although the full extent of the costs and impacts are still undetermined. An ongoing investigation revealed that threat actors had access to personal information of customers who transacted with the company prior to March 2019. Exposed information includes names, contact details, gender, date of birth, and driver’s license numbers. In some cases, Social Security numbers and passport numbers were also exposed. Importantly, no customer bank account or payment card details were compromised in the attack.

Given the complexities and costs involved, this incident underscores the significant financial and operational risks that organizations in the hospitality and entertainment sectors face from cybersecurity threats. The attack also raises questions about how well-prepared companies are to deal with such incursions and the kind of data protection measures they have in place to safeguard customer information.

• Citrix Patches Critical NetScaler ADC, Gateway Vulnerability

Citrix has announced patches for several vulnerabilities affecting its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products. The most critical of these is identified as CVE-2023-4966 with a CVSS score of 9.4. This vulnerability could lead to unauthorized disclosure of sensitive information. The flaw is particularly concerning because it can be exploited without authentication on appliances configured as a Gateway or an AAA virtual server.

Affected versions include NetScaler ADC and NetScaler Gateway versions 14.1, 13.1, 13.0, as well as NetScaler ADC 13.1-FIPS, 12.1-FIPS, and 12.1-NDcPP. Citrix has released updated versions to address these vulnerabilities and strongly recommends that customers upgrade, especially since version 12.1 is now End-of-Life (EOL) and remains vulnerable.

Additionally, Citrix has also addressed a high-severity denial-of-service (DoS) flaw, identified as CVE-2023-4967 with a CVSS score of 8.2, affecting products configured as gateways or AAA virtual servers.

Finally, Citrix also announced hotfixes for five vulnerabilities in Citrix Hypervisor 8.2 CU1 LTSR. These could allow malicious code in a guest VM to compromise or crash the host or another VM, or access information from code running on the same CPU core. Four of these issues specifically impact systems running on AMD CPUs.

Although there have been no reports of these vulnerabilities being exploited in the wild, historical data shows that NetScaler ADC and Gateway vulnerabilities have been targeted by malicious actors. The U.S. cybersecurity agency CISA has also issued a warning, urging administrators to review the advisories from Citrix and apply the necessary patches to prevent potential exploitation.

Given the severity and range of these vulnerabilities, immediate attention to patch management and system updates is crucial for organizations using these Citrix products.

• Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits

Microsoft has released its October 2023 Patch Tuesday updates, addressing a total of 103 software vulnerabilities, two of which are actively being exploited. Among these, 13 are rated as Critical, 90 as Important, and 18 specifically target security vulnerabilities in its Chromium-based Edge browser.

Two zero-day vulnerabilities have been weaponized:

• CVE-2023-36563. An information disclosure vulnerability in Microsoft WordPad with a CVSS score of 6.5. This could lead to the leak of NTLM hashes. To exploit it, an attacker would have to convince the user to click a link in an email or instant message and open a malicious file.
• CVE-2023-41763. A privilege escalation vulnerability in Skype for Business with a CVSS score of 5.3. This vulnerability could expose sensitive information like IP addresses or port numbers, thereby allowing threat actors to infiltrate internal networks.

Microsoft also patched multiple flaws in Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol, which could result in remote code execution and denial-of-service (DoS) attacks. A severe privilege escalation bug in Windows IIS Server (CVE-2023-36434, CVSS score: 9.8) was also addressed. This particular vulnerability could allow an attacker to impersonate another user through a brute-force attack.

An update for CVE-2023-44487 was also released. This is known as the HTTP/2 Rapid Reset attack and has been used in high-volume DDoS attacks. While this attack could disrupt service availability, Microsoft clarified that it doesn’t compromise customer data.

Lastly, Microsoft announced the deprecation of Visual Basic Script (VBScript), commonly exploited for malware distribution. In future Windows releases, VBScript will be offered as a feature-on-demand before its complete removal.

Given the range and severity of these vulnerabilities, including those that have already been weaponized, immediate patch management is highly recommended for organizations using Microsoft products.

Security updates have also been released by other vendors since the start of the month including:

Adobe, AMD, Android, Apache Projects, Apple, Aruba Networks, Arm, Atlassian, Atos, Cisco, Citrix, CODESYS, Dell, Drupal, F5, Fortinet, GitLab, Google Chrome, Hitachi Energy, HP, IBM, Juniper Networks, Lenovo, Linux distributions: Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu, MediaTek, Mitsubishi Electric, Mozilla Firefox, Firefox ESR, and Thunderbird, Qualcomm, Samba, Samsung, SAP, Schneider Electric, Siemens, Sophos, and VMware.

Share post: