This week’s Cyber Security Headlines – Week in Review, is hosted by Rich Stroffolino with guest Martin Choluj, VP Security ClickHouse
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Internet-wide zero-day bug fuels largest-ever DDoS attack
An Internet-wide zero-day vulnerability is to blame for a record-breaking distributed denial-of-service (DDoS) attack dubbed “HTTP/2 Rapid Reset” (CVE-2023-44487). Amazon Web Services, Cloudflare, and Google Cloud each observed the just-minutes-long attack on August 28 and 29, with Google recording a peak of 398 million requests per second (rps), seven and a half times larger than any previous attack against its resources. The providers partnered with DDoS security, and infrastructure vendors to minimize the effects of the attacks, mainly through load balancing and other edge strategies. The exploited protocol, HTTP/2, enables browsers to quickly view website images and text and the protocol is used by roughly 60% of all Web applications. Many organizations will remain exposed to the attack until they patch their HTTP/2 instances.
(Dark Reading and CyberScoop)
23andMe resets user passwords after genetic data posted online
Following up on a story Cyber Security Headlines brought to you on Monday, genetic testing company 23andMe said it’s requiring users to reset their passwords “out of caution.” The company said that hackers accessed accounts using passwords that were made public in previous data breaches. Beginning last Wednesday, hackers began advertising alleged 23andMe user data on BreachForums, offering individual profiles for between $1 to $10 each. According to 23andMe, the data was “compiled” from users that had opted into a feature to automatically share their data with others. Theoretically, this would allow a hacker to access more than one victim’s account for every account they broke into.
Network protocol open-source tool Curl faces worst security flaw in a long time
Curl, the open-source tool that supports network protocols including SSL, TLS, HTTP, FTP, SMTP with tasks such as interfacing with APIs and downloading files is facing two significant vulnerabilities. An advisory from GitHub published Wednesday announced fixes for a high-severity vulnerability tracked as CVE-2023-38545, that will be released tomorrow, October 11. A GitHub maintainer described the vulnerability as “probably the worst curl security flaw in a long time,” but refused to disclose further details. Melissa Bischoping, director of endpoint security research at Tanium, said, “organizations should take advantage of the advance heads-up to begin scoping their environment.” She continued, “given the advanced notice from the lead developer himself and the widespread impact it could have, it would be prudent to plan for a significant event even if the actual impact ends up being less severe.”
SEC investigates MOVEit
In a regulatory filing, Progress Software disclosed the US SEC opened an investigation into the rash of hacks coming from the vulnerabilities in its MOVEit managed file transfer product. The company received a subpoena for documents and information related to the vulnerability. Emsisoft estimates the MOVEit attacks impacted over 2500 organizations. In the filing, Progress said costs related to the vulnerability amounted to $1 million, but said losses could mount after 23 customers launched legal action against it, as well as the 58 class action lawsuits filed by individuals.
Update 10-13-2023: Headline updated to remove mention of costs related to a November 2022 cybersecurity incident based on an update from the reporting source.
Thanks to today’s episode sponsor, Hyperproof
404 pages hijacked
Researchers at Akamai spotted this new campaign by the threat actors behind the Magecart payment skimmer. This hides JavaScript code in a comment on a site’s 404 page. The threat actors combine this with a modification to other site pages to call on a nonexistant folder, thereby sending users to the 404 page more often. While in some ways this attack remains consistent with Magecart attackers finding new way to obfuscate code, researchers noted a call to a nonexistent folder marks a much more “noisy” attack approach than the group typically employs.
Clorox warns of cyberattack costs
As another big brand that was hit with a cyberattack, Clorox says it has spent $25 million so far in its response to the August cyberattack but foresees additional costs and product shortages to come. According to the Wall Street Journal, the time it has taken to recover, and the systems affected make many security experts suspect ransomware. Representatives from the company said in a statement that sales will tumble between 23% and 28% for the quarter ended Sept. 30, and that it will “post a loss in the quarter, instead of the nearly $150 million in profit that investors had expected.”
Microsoft to kill off VBScript in Windows to block malware delivery
After 27 years of use, Microsoft is planning to phase out Visual Basic Script (or ‘VBScript’) in future Windows releases. The VBScript programming language was introduced back in August 1996 and was bundled with Internet Explorer until the browser was deprecated by Microsoft earlier this year. Malicious actors have used VBScript to distribute malware, including notorious strains like Lokibot, Emotet, Qbot, and DarkGate. Over the past several years, Microsoft has taken measures to curb attacks on VBA macros and disabled VBScript by default in Internet Explorer 11 on Windows 10. Microsoft will continue making VBScript an on-demand feature until it is sunset.