Software management, the seasonal return of DDoS - F5 SIRT- This Week in Security: 10/9 - 10/15
This Week in Security
October 9th to October 15th, 2022
"Software security management, the seasonal return of DDoS and cyber-attacks will get you to real prison"
Editor's introduction
This week editor is Lior Rotkovitch. October is Cybersecurity Awareness Month and F5 promotes this event both externally and internally with discussions and knowledge being transfered. This makes you see over and over the huge impact of security on our day-to-day life in general, and on hardware and software products and service in specific.
Reading security news lately feels like we have more major challenges to overcome. Yet another CVE exploitation, more security for software end of life, and what can we do when a 0day will be in our cars? DDoS is always a for sure way to hit the headlines; and cyber crime will get you to real jail.
My recommendation for this week: One of the high profile topics is the software supply chain problem that is described nicely at Ryan Naraine's Security Conversations--mentioning that not long ago we all said that open source was considered a more secure software since more eyes were watching it. They also talk about the SBOM concept as a good starting point for solving this topic.
Until next time, keep it up. Lior.
Twitter: @rotkovitch
-
PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin
- Automotive Security Threats Are More Critical Than Ever
- Over 45,000 VMware ESXi servers just reached end-of-life
- Mirai Botnet Hits Wynncraft Minecraft Server with 2.5 Tbps DDoS Attack
- Russian DDoS attack project pays contributors for more firepower
- US airports' sites taken down in DDoS attacks by pro-Russian hackers
- International crackdown on West-African financial crime rings
- How Wi-Fi spy drones snooped on financial firm
- Security M&A
PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin
Remember the critical Fortinet CVE that Dharminder mention last week ? This is one of those cases that a POC and then a operational exploit is being released. This is then fed into the botnets scanning web and the race to patch that I described begins. So I'm sending my support to the Fortinet security team.
“On Monday, the company made public an advisory and confirmed that the zero-day flaw had been exploited in at least one attack.
This suggested that the attack observed by Fortinet was likely the work of a sophisticated — likely state-sponsored — threat actor. However, as more details are coming to light, it’s increasingly likely that CVE-2022-40684 will be widely exploited.
Penetration testing company Horizon3.ai has made public a PoC exploit that allows an attacker to add an SSH key to the admin user, enabling the attacker to access the targeted system with administrator privileges. The firm has also released technical details, and others have created templates for vulnerability scanners.
There have been several reports over the past day indicating that scanning for systems affected by CVE-2022-40684 is underway. Threat intelligence firm GreyNoise has seen exploitation attempts coming from more than 40 unique IPs in the past 24 hours.
WordPress security company Defiant has also seen exploitation attempts, coming from nearly two dozen IPs."
“Most of the requests we have observed are GET requests presumably trying to determine whether a Fortinet appliance is in place,” the Wordfence team at Defiant explained. “However, we also found that a number of these IPs are also sending out PUT requests matching the recently released proof of concept, [...] which attempts to update the public SSH key of the admin user.”
- https://www.securityweek.com/poc-published-fortinet-vulnerability-mass-exploitation-attempts-begin
- https://www.darkreading.com/attacks-breaches/concerns-fortinet-flaw-poc-increased-exploit-activity
- https://www.bleepingcomputer.com/news/security/exploit-available-for-critical-fortinet-auth-bypass-bug-patch-now/
Automotive Security Threats Are More Critical Than Ever
Cars have more and more software in them, not just the connectivity WiFi, Bluetooth, LTE but also the software itself. Like any software, automotive software needs to be sustained with updates. “...supply chain from OEM factories and legacy systems to component suppliers including those supplying sensors, ECUs, connections and other communication technology to maintain cohesion across applications.” Now think about a critical vulnerability on one of the OEM softwares that needs to be patched with exposure to a million cars?!?!
Over 45,000 VMware ESXi servers just reached end-of-life
Not just supply chain software challenges, what happens when widely used software are in end of life and in end of support? “Will only receive technical support but no security updates, putting the software at risk of vulnerabilities.”
Mirai Botnet Hits Wynncraft Minecraft Server with 2.5 Tbps DDoS Attack
Web infrastructure and security company Cloudflare disclosed this week that it halted a 2.5 Tbps distributed denial-of-service (DDoS) attack launched by a Mirai botnet. Characterizing it as a "multi-vector attack consisting of UDP and TCP floods," researcher Omer Yoachimik said the DDoS attack targeted the Minecraft server Wynncraft in Q3 2022. "The entire 2.5 Tbps attack lasted about 2 minutes, and the peak of the 26 million rps attack [was] only 15 seconds,"
- https://thehackernews.com/2022/10/mirai-botnet-hits-wynncraft-minecraft.html
- https://www.securityweek.com/mirai-botnet-launched-25-tbps-ddos-attack-against-minecraft-server
Russian DDoS attack project pays contributors for more firepower
“A pro-Russian group created a crowdsourced project called 'DDOSIA' that pays volunteers launching distributed denial-of-service (DDOS) attacks against western entities.”
“Volunteers for DDOSIA need to register through Telegram to receive a ZIP archive with the malware (“dosia.exe”), which contains a unique ID for each user.
Members can link this ID to a cryptocurrency wallet and receive money for participating in DDoS attacks, payment being proportional to the firepower they provide.”
Top contributors in each attack wave receive 80,000 rubles ($1,250), second-place attackers receive 50,000 rubles ($800), and third-place contributors are compensated with 20,000 rubles ($300).
In the attacks against the U.S. airports, DDOSIA announced that they would distribute payouts to the top ten contributors, increasing the rewards for the contributors. “
US airports' sites taken down in DDoS attacks by pro-Russian hackers
“The pro-Russian hacktivist group 'KillNet' is claiming large-scale distributed denial-of-service (DDoS) attacks against websites of several major airports in the U.S., making them unaccessible.
The DDoS attacks have overwhelmed the servers hosting these sites with garbage requests, making it impossible for travelers to connect and get updates about their scheduled flights or book airport services.”
“KillNet listed the domains yesterday on its Telegram channel, where members and volunteers of the hacktivist group gather to acquire new targets.”
General – security bits
International crackdown on West-African financial crime rings
INTERPOL arrests ‘Black Axe’ cybercrime syndicate members
How Wi-Fi spy drones snooped on financial firm
https://www.theregister.com/2022/10/12/drone-roof-attack/
Wi-Fi drones were used by hackers to penetrate a financial firm's network remotely
Security M&A
"If you're wondering why Google blew $5b on Mandiant, this may shed some light”
https://www.theregister.com/2022/10/11/google_mandiant_brain/