InfoSec Weekly

October 15, 2023

Table Of Contents

HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks

Description

Amazon Web Services (AWS), Cloudflare, and Google have taken steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that exploited a novel technique known as HTTP/2 Rapid Reset. These layer 7 attacks, detected in late August 2023, were coordinated under the CVE-2023-44487 designation with a CVSS score of 7.5. The attacks aimed at Google’s cloud infrastructure reached 398 million requests per second, while those targeting AWS and Cloudflare exceeded 155 million and 201 million RPS, respectively.

HTTP/2 Rapid Reset exploits a zero-day flaw in the HTTP/2 protocol, allowing DDoS attacks by sending and rapidly canceling requests in quick succession. This technique overwhelms the server without reaching its configured threshold, effectively taking down websites. Notably, these attacks can be executed using a relatively small botnet, such as 20,000 machines, as observed by Cloudflare.

HTTP/2 is widely used, and the attack’s potential impact is significant. Several companies, including Alibaba, Apache Tomcat, Apple Swift, and Microsoft, have released updates to counter this new attack vector. Security experts are urging organizations to proactively protect their systems against this vulnerability.

Infected Technology

NGINX HTTP/2 module

Source

https://thehackernews.com/2023/10/http2-rapid-reset-zero-day.html

Recommendation

Update their NGINX configuration

CVE ID

CVE-2023-44487


Two High-Risk Security Flaws Discovered in Curl Library

Description

Two critical security vulnerabilities have been identified in the Curl data transfer library, with the more severe CVE-2023-38545 leading to a heap-based buffer overflow in the SOCKS5 proxy handshake, potentially enabling remote code execution. The issue arises when Curl is asked to transmit a hostname to the SOCKS5 proxy, allowing it to resolve the address, resulting in a buffer overflow if the hostname exceeds 255 bytes. Despite the likelihood of exploitation in the wild, the conditions required for vulnerability are more restrictive, involving triggering code execution through a web app and connection to a SOCKS5 proxy. A less severe vulnerability, CVE-2023-38546, allows unauthorized cookie injection into a program using libcurl, impacting versions 7.9.1 to 8.3.0. Both flaws have been addressed in the recent release of version 8.4.0 on October 11, 2023, ensuring that Curl no longer switches to local resolve mode for overly long hostnames, effectively preventing heap-based buffer overflows. Despite the vulnerabilities, the development team has no immediate plans to migrate Curl to a memory-safe language from its current C framework.

Infected Technology

• Curl data transfer library

Source

https://thehackernews.com/2023/10/two-high-risk-security-flaws-discovered.html

Recommendation

• Patches for both flaws are available in version 8.4.0 released on October 11, 2023. Hence, upgrading to the latest version is recommended


20+ Vulnerabilities along with CVE-2023-5218 addressed by Google Chrome’s latest update

Description

Google has released a security update for its Chrome browser, bringing the Stable channels to version 118.0.5993.70 for Mac and Linux, and 118.0.5993.70/.71 for Windows. The Extended Stable channel has also been updated to 118.0.5993.71 for Windows and 118.0.5993.70 for Mac. This update addresses a total of 20 security vulnerabilities, including a critical flaw labeled CVE-2023-5218 related to a “Use after free in Site Isolation.” The flaw could have allowed remote attackers to exploit heap corruption through a crafted HTML page, requiring some form of user involvement. Additionally, several medium and low severity vulnerabilities were fixed, each with a corresponding CVE identifier. To stay protected, Google advises users to ensure they are running the latest version of Google Chrome.

Infected Technology

• Google Chrome web browser

Source

https://cybersecuritynews.com/google-chrome-critical-flaw/

Recommendation

• Users are strongly encouraged to update their Google Chrome browser to the latest available version

CVE ID

CVE-2023-5218


CISA Warns of Actively Exploited Adobe Acrobat Reader Vulnerability

Description

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently included a significant security flaw in Adobe Acrobat Reader in its list of known exploited vulnerabilities categorized as a use-after-free bug. Exploiting this vulnerability enables an attacker to achieve remote code execution (RCE), operating with the privileges of the affected user.A proof-of-concept (PoC) exploit for the vulnerability was released in January 2023, showcasing the potential for exploiting the flaw. The specifics of the exploitation method and the threat actors utilizing this vulnerablilites are currently undisclosed.

Infected Technology
  • Acrobat DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310)
  • Acrobat Reader DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310)
  • Acrobat 2020 - 20.005.30418 and earlier versions (fixed in 20.005.30436)
  • Acrobat Reader 2020 - 20.005.30418 and earlier versions (fixed in 20.005.30436)
Source

https://thehackernews.com/2023/10/us-cybersecurity-agency-warns-of.html

Recommendation
  • Affected users must apply patches provided by the vendor before October 31, 2023, to safeguard their networks and mitigate potential security threats.
CVE ID

CVE-2023-21608


European Union Leaders and Military Personnel Targeted in New PEAPOD Cyberattack Campaign

Description

In a recent development, political leaders and military personnel involved in gender equality initiatives within the European Union have become the focal point of a sophisticated cyberattack campaign. This campaign involves the deployment of an updated version of the RomCom Remote Access Trojan (RAT) known as PEAPOD. The attacks are attributed to a threat actor known as Void Rabisu, previously identified as Storm-0978, Tropical Scorpius, and UNC2596, and potentially linked to the Cuba ransomware group. This group operates at the intersection of financially motivated cyberattacks and espionage, with a particular focus on countries supporting Ukraine.

Infected Technology

Search Engines mostly Google and Bing

Source

https://thehackernews.com/2023/10/new-peapod-cyberattack-campaign.html

Recommendation

• Ensure that all personnel are well-informed about the risks of spear-phishing emails and are trained in recognizing and avoiding potential threats.


call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us