By OptionOne Technologies

We searched through the most popular cybersecurity websites to bring you the latest industry news, updates, and tips.

Cybersecurity Threat News

Record-Breaking RPS DDoS Attack Exploits Disclosed Flaw

Cloudflare recently reported a significant surge in HTTP DDoS attack traffic, The Hacker News reported. Cloudflare attributes the attacks to a newly discovered vulnerability called HTTP/2 Rapid Reset.

The company observed a notable hike of 65% in HTTP DDoS attack traffic in Q3, compared to the prior quarter, with 89 instances of the attack exceeding 100 million requests per second (RPS). The number of HTTP DDoS attack requests for the quarter even soared to a staggering 8.9 trillion, marking an increase from 5.4 trillion and 4.7 trillion in Q2 and Q1 2023 respectively.

The HTTP/2 Rapid Reset flaw (CVE-2023-44487) was disclosed earlier this month after an industry-wide investigation into DDoS attacks conducted by unknown actors exploiting the flaw to target providers like Amazon Web Services (AWS), Cloudflare, and Google Cloud. Fastly, another major player, reported a similar attack peaking at a volume of about 250 million RPS.

Cloudflare noted the increased capacity of botnets leveraging cloud computing platforms and exploiting HTTP/2, stating, “This allowed them to launch hyper-volumetric DDoS attacks with a small botnet ranging 5-20 thousand nodes alone.”

Several industries are prime targets for these HTTP DDoS attacks, including gaming, IT, cryptocurrency, computer software, and telecom. The company also identified the U.S., China, Brazil, Germany, and Indonesia as the leading sources of application layer (L7) DDoS attacks, while the U.S., Singapore, China, Vietnam, and Canada were primarily on the receiving end of these attacks.

There was also a decrease in ransom DDoS attacks. Cloudflare explained, “This is because threat actors have realized that organizations will not pay them.”.

Spy Platform StripedFly Effects 1 Million Victims

In an alarming development, researchers from Kaspersky have uncovered the true capabilities of StripedFly, a malware once dismissed as largely ineffective, DarkReading reported. Initially detected in 2017 as a Monero cryptocurrency miner, StripedFly has since evolved into a comprehensive modular malware platform.

It now boasts a built-in Tor network tunnel for communication, update, and delivery functionality through trusted services like GitHub and Bitbucket, all using custom encrypted archives. It’s estimated that StripedFly has infected over a million systems.

Dubbed the “hallmark of APT malware,” StripedFly operates as a monolithic binary executable code with various pluggable modules. These modules allow attackers to update or extend its functionality.

It first emerges on a network as a PowerShell, using a custom version of the EternalBlue SMB exploit as its initial entry mechanism, which continues to threaten unpatched Windows servers. The malware uses different persistence methods, depending on the availability of the PowerShell interpreter and the privileges granted to the process.

The architecture of StripedFly consists of three service modules for configuration storage, upgrading, and uninstalling the malware, and six functionality modules. These modules offer an extensive list of capabilities, from harvesting credentials and executing repeatable tasks including recording microphone input and taking screenshots, to compiling detailed system information and providing penetration and worming capabilities.

The researchers also identified a related ransomware variant, ThunderCrypt, that shares StripedFly’s underlying codebase.

Despite their findings, Kaspersky researchers admit that several questions about StripedFly remain unanswered. The intent of its creators remains a mystery, especially given the existence of a related ransomware component.

Additionally, it’s unclear if StripedFly is still active, with only a few updates observed in the Bitbucket repository. This leaves two possibilities: Either there are minimal active infections, or all infected systems are still communicating actively with the malware’s command-and-control servers.

API Security Flaw Impacts Grammarly, Vidio, and Bukalapak

Salt Security has uncovered significant API security vulnerabilities in the OAuth protocol implementations of online platforms Grammarly, Vidio, and Bukalapak, Infosecurity Magazine reported. These vulnerabilities, which have been rectified, had the potential to jeopardize user credentials and facilitate full account takeovers, threatening billions of users globally.

The flaws were primarily associated with the access token verification process in the OAuth protocol, exposing users to numerous risks such as unrestricted access to user accounts by cybercriminals, possibly leading to unauthorized access to sensitive financial and personal data, and potential identity theft and financial fraud.

OAuth, a widely accepted user authorization and authentication technology, enables users to sign in to websites through their social media accounts, making the sign-in process simpler. The security vulnerabilities in its implementations allowed attackers to employ a “Pass-The-Token Attack”.

Yaniv Balmas, vice president of research at Salt Security, clarified that the problems discovered were not primarily with OAuth but with how it was implemented by various parties utilizing it. Upon being alerted by Salt Labs’ researchers, the affected platforms (Vidio, Bukalapak, and Grammarly) have taken necessary measures to rectify these security vulnerabilities.

Cybersecurity Business News

Businesses Struggle to Manage Generative AI in the Workplace

Findings from Kaspersky suggest that business leaders are losing control over the use of generative AI within their organizations, CSO Magazine reported. Despite only 28% of organizations explicitly authorizing the use of generative AI and a mere 10% having a formal generative AI usage policy, a significant number of employees reportedly use these tools without their superiors’ knowledge.

This trend is particularly prominent in the UK with one in three workers admitting to using generative AI tools covertly.

C-level executives share concerns about this rampant usage of generative AI. According to Kaspersky’s survey, 95% of 1,863 UK and EU executives believe that employees regularly use generative AI. Worryingly, 53% also state that it now influences certain business departments.

This unchecked usage has led to 59% of executives expressing serious concerns about potential security risks, including jeopardizing company information and losing control of core business functions. However, only 22% have considered establishing regulations for monitoring generative AI usage despite 91% acknowledging the need for a better understanding of internal data usage to prevent security breaches or data leaks.

ISACA’s survey of 2,300 global digital trust professionals indicates that the increasing use of generative AI is not matched by corresponding policy or risk management measures. Over 40% of employees reportedly use generative AI, with this figure expected to be higher considering that 35% of respondents were uncertain.

AI tools serve various purposes including content creation, productivity improvement, task automation, customer service, and decision-making. However, only a third of organizations view managing AI risk as an immediate priority, despite identified risks such as misinformation, privacy violations, social engineering, and loss of intellectual property.

The lack of adequate training and attention to ethical standards adds to these risks, raising concerns about possible exploitation by malicious actors.

Cybersecurity Tips

How to Combat Ransomware Attempts

According to a report by CIO Magazine, “Ransomware attacks are becoming more prevalent and lucrative for hackers. These incidents are likely to persist until industry mechanisms are implemented to verify individuals’ identities effectively.”

Recently, casino gaming companies MGM Resorts International and Caesars Entertainment were struck by social engineering attacks that spoofed identities to gain access to their secure systems. Both were customers of the identity management company Okta. The hacker groups identified as BlackCat/ALPHV and Scattered Spider were behind these attacks.

CIO Magazine offered readers some suggestions on how to combat ransomware attacks,

• Setup Verification Mechanisms: Implement industry-grade identity verification mechanisms. Consider a ‘secret word’ system, similar to home security protocols. When contacted, the person must provide the secret word for identity confirmation. Yet, remember, this solution may not scale well and it does have vulnerabilities.

• Use Digital Validation: Upgrade the system to include an automated method for digital conversation validation on a peer-to-peer basis. This ensures that the people communicating are indeed who they claim to be, whether they are interacting within or outside the organization.

• Use Identity Technology: Counteract spoofing issues by incorporating identity technology. Some innovative startups are already developing AI-enabled software solutions. These add routine steps in your processes that ask users to verify their identities before making transactions or account changes. This additional layer of security enhances protection against ransomware.

• Verify Other Attributes: Implement systems that verify other attributes, such as age and account ownership, before any conversation takes place with an agent. This is another way to ensure the identity of the person you are dealing with and further secure your system against ransomware attacks.

Thanks for Reading

That’s it for this month’s Cybersecurity Briefing. Contact us today to learn more about our services.