100 million RPS DDoS attack exploits HTTP/2 Rapid Reset Flaw

SISA Weekly Threat Watch 06 Nov, 2023

The past week has been marked by a series of critical cybersecurity threats and vulnerabilities that warrant immediate attention. These include a financially motivated threat group launching sophisticated social engineering campaigns, record-breaking DDoS attack exploiting the HTTP/2 Rapid Reset flaw, a ransomware group exploiting a critical vulnerability and high-severity security flaws that require immediate patching. These threats underscore the need for proactive defense measures and swift security updates.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Microsoft identifies Octo Tempest as a highly threatening financial hacking group

Microsoft is actively monitoring Octo Tempest, a financially motivated threat group known for its sophisticated social engineering campaigns. Their tactics have evolved from selling SIM swaps and targeting cryptocurrency accounts to launching phishing attacks, large-scale password resets, and data theft. This year, they expanded their targets across various industries and joined the ALPHV/BlackCat ransomware-as-a-service operation, deploying ransomware on Windows and Linux platforms with a focus on VMware ESXi servers.

Octo Tempest employs SMS phishing, SIM swapping, and adept social engineering techniques, often posing as new employees, to manipulate administrators. They also use various tools and Azure Data Factory for data extraction. Considering Octo Tempest’s dynamic tactics, organizations must adopt a proactive defense approach. This includes thorough privilege management, Azure zone segmentation, and robust Conditional Access Policies.

2. Record-breaking 100 million RPS DDoS attack exploits HTTP/2 Rapid Reset Flaw

Cloudflare reported that it successfully thwarted thousands of hyper-volumetric HTTP DDoS attacks, with 89 exceeding 100 million RPS, exploiting the HTTP/2 Rapid Reset flaw. The HTTP/2 Rapid Reset vulnerability (CVE-2023-44487) was disclosed recently following coordinated industry research into DDoS attacks. It was used by an unknown actor to target providers like Amazon Web Services (AWS), Cloudflare, and Google Cloud. The total number of HTTP DDoS attack requests in the quarter surged to 8.9 trillion, up from 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023, with Q4 2022 recording 6.5 trillion requests.

Botnets exploiting cloud platforms and the HTTP/2 vulnerability can exert up to 5,000 times more force per botnet node, enabling hyper-volumetric DDoS attacks. Some of the most targeted industries include gaming, IT, cryptocurrency, computer software, and telecom. It is recommended to implement an automated, always-on HTTP DDoS protection service for your HTTP applications to fortify the defenses against potential DDoS threats and ensure the uninterrupted availability of your online services.

3. HelloKitty ransomware group exploits Apache ActiveMQ vulnerability for RCE

Cybersecurity researchers have raised concerns about potential exploitation of a recently revealed critical security vulnerability in the Apache ActiveMQ open-source message broker service, which has the potential for remote code execution. The security breaches involve the exploitation of CVE-2023-46604, a vulnerability in Apache ActiveMQ that allows a threat actor to execute arbitrary shell commands remotely. Since the disclosure of these vulnerabilities, a proof-of-concept (PoC) exploit code and additional technical details have been made publicly available.

Based on the ransom note and available evidence, researchers attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October. The adversary exploits the vulnerability to load remote binaries, including a .NET executable and an encryption payload, initiating a ransomware-like process. Users are strongly advised to promptly update to the fixed version of ActiveMQ and conduct network scans for indicators of compromise.

4. New security flaws discovered in NGINX Ingress controller for Kubernetes

Three high-severity vulnerabilities in NGINX Ingress controller for Kubernetes have been discovered, posing a risk of sensitive credential theft from the cluster. These vulnerabilities (CVE-2022-4886, CVE-2023-5043, CVE-2023-5044) enable unauthorized access to ingress controller credentials, arbitrary command execution, and code injection, potentially allowing attackers to pilfer secret credentials and gain unauthorized access to sensitive data within the cluster.

The Ingress object allows operators to specify how incoming HTTP paths are directed to internal paths. Unfortunately, the vulnerable application fails to adequately validate these internal paths, potentially exposing the service account token used for authentication against the API server. It is strongly advised to promptly update the ingress-nginx to the latest version and remain vigilant regarding potential vulnerabilities and exploits.

5. EleKtra-Leak campaign exploits AWS IAM credentials for cryptojacking

Researchers have uncovered the ongoing EleKtra-Leak campaign, targeting publicly exposed AWS IAM credentials on GitHub repositories. The threat actor utilizes automated tools to scan and clone repositories, extracting credentials to spawn multiple AWS EC2 instances. Over 400 API calls within seven minutes demonstrate the actors’ agility. They operate through VPNs, concealing their activities, and block exposed accounts to evade detection.

This two-year campaign fuels extensive and persistent cryptojacking activities, posing a significant ongoing threat. Organizations are recommended to promptly revoke exposed AWS IAM credentials and remove them from GitHub repositories. Implementing short-lived credentials and AWS quarantine policies, along with leveraging GitHub audit features and EDR (Endpoint Detection and Response) solutions, can also help enhance cloud security.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider