We’re collecting notable incident and vulnerability reports from the past week.

Google, Cloudflare and AWS reported the largest DDoS attack in history

Internet infrastructure providers Google Cloud, Cloudflare and Amazon Web Services have experienced the largest DDoS attacks in their history.

The attacks were reported on 10. October, with cloud service providers saying the attacks were part of a mass exploitation of a zero-day vulnerability in the HTTP/2 protocol. The DDoS attacks themselves began during August and are still ongoing at the time of writing.

In a blog post, Google explained that this was the “largest DDoS attack to date”, with the number of requests per second (rps) reaching more than 398 million, seven and a half times the previous record DDoS. Google noted that the 398 million reqs corresponds to “more requests than the total number of article views on Wikipedia for the entire month of September 2023”.

The HTTP/2 Rapid Reset attack exploits specific features of the HTTP/2 protocol to overload servers. The first stage of this attack is to establish an HTTP/2 connection to the server and then immediately send a ‘Reset’ message to terminate the connection. On the attacker’s side, this action is not demanding in terms of execution, but it imposes a significant load on the server when releasing and “cleaning up” the connection.

Furthermore, the attack uses ‘stream multiplexing’, which allows an attacker to send a large number of requests and then immediately cancel them. This creates a significant server load with minimal cost to the attacker. This attack is amplified by opening and immediately dropping a large number of streams at once without waiting for server or proxy responses, leading to server resource exhaustion

In a post on their blog, Cloudflare’s CSO mentions that the attack could have been carried out using a relatively small botnet consisting of roughly 20,000 machines.

---

Critical vulnerabilities in Curl have been patched and users are advised to update.

Probably the worst curl security flaw in a long time. This is how Daniel Stenberg, founder and lead developer of the curl project, referred to the bug tracked as CVE-2023-38545.

This vulnerability is of the buffer overflow type, which is a type of vulnerability in which a program writes data to an allocated memory buffer in such a way that it exceeds the buffer size and spills the data into other memory locations. Although proof-of-concept exploits have so far only demonstrated the application crashing, the researchers believe it is only a matter of time before code execution is achieved. The good news is that only certain configurations are vulnerable, and not the default ones.

The vulnerability is fixed in the new Curl 8.4.0 and users are advised to upgrade to this latest version as soon as possible.

---

Ransomware attacks now target unpatched WS_FTP servers

I informed you about a critical vulnerability in Progress software’s WS_FTP server in a previous Security Sunday. A vulnerability with CVE-2023-40044 and CVSS in 3 score 10 is now being actively exploited for ransomware attacks.

Although Progress software has released an update, many servers are still exposed to the Internet with this vulnerability, which attackers are exploiting to launch ransomware attacks. Since the ransom is relatively small, it can be concluded that the attacks are carried out by automated scripts.

---

Ransomware Overview: September 2023

We’ll stay with ransomware and look at a summary of ransomware attacks for September 2023.

This research comes from Malwarebytes and includes reported attacks by ransomware groups on their darkweb sites.

A total of 427 ransomware victims were recorded in September. As usual, Lockbit (72) topped the charts.

New players included LostTrust (53), ThreeAM (10) and CiphBit (8).

Last month, the biggest attacks were on MGM Resorts and Caesar Entertainment. We have informed you about these attacks in previous security sundays.

The Malwerebytes report also shows that the CVE-2023-20269 zero-day vulnerability in Cisco VPN devices is frequently exploited.

---

Mirai DDoS malware variant spreads to more routers

A variant of the Mirai botnet, tracked as IZ1H9, added thirteen new payloads targeting Linux routers from D-Link, Zyxel, and TP-Link.

Fortinet researchers report that around the first week of September, they recorded tens of thousands of attempts to exploit vulnerable devices.

IZ1H9 compromises devices to include them in its DDoS botnet, and then executes DDoS attacks on designated targets. Fortinet reports that IZ1H9 exploits vulnerabilities in routers from 2015 to 2023.

In addition to routers, the attacks also target IoT devices and try to use a butefore attack to access the login credentials encrypted in these devices.

IoT owners are advised to use strong login credentials, update devices to the latest available firmware version, and limit their exposure to the internet where possible.

---