October has been a busy month, we have seen a new DDoS technique which allows attacks to scale to a unprecedented level, indentity and access management giant Okta failing to adequately protect client credentials, and Meta receiving the gavel over their European advertising practises.

New/Improved Techniques

HTTP/2 Rapid Reset DDoS

A new distributed denial of service (DDoS) zero-day vulnerability named HTTP/2 Rapid Reset was discovered in November and has been actively utilised to break all previous DDoS request per second (RPS – how the size of a DDoS attack is measured) records. The attack exploits a weakness in the HTTP/2 protocol’s stream cancellation feature that is used to send and cancel requests. The protocol does not require the client and server to coordinate the cancelation and allows attackers to send a barrage of requests without waiting for any responses.

An RPS record was set in February of this year when Cloudflare mitigated an attack of 71 million RPS. This new technique has allowed malicious actors to blow this out of the water, with Google reporting that they had mitigated an attack in early October of 398 million RPS. Cloudflare have seen a rise in the number of 502 error (bad gateway) reports from their clients due to the attack, and have been working to mitigate these attacks by expanding their system to handle hyper-volumetric attacks to cover their entire infrastructure. Dubbed ‘IP Jail’, the system blocks offending IPs from using HTTP/2 for any Cloudflare domain for a cooldown period.

Enhanced Google Play Protect

Google have announced an uplift to Google Play Protect, the built-in malware protection enabled on all Android devices with Google Play Services. The service scans up to 125 billion applications daily, but has historically had issues with detecting polymorphic applications, where the malicious functionality is retrieved post-install – after the application has been scanned by Google Play Services.

Enhanced Play Protect enables the ability to perform real-time scanning at the code level, on downloaded and previously installed apps, and utilises AI to combat novel malicious applications. This enhancement can block and disable applications automatically.

The service is expected to be rolled out in all regions over the coming months, with the exception for any phones manufactured by Huawei, who due to US law, do not have access to Google Play Services.

Fake Browser Updates – Now with Immutable Payloads!

Another old malware delivery trick has burst back onto the scene recently, utilising a new method to store and deliver the payload –cryptocurrency blockchain and smart contracts. This campaign has been active in the latter half of 2023 but has recently had to change tact; previously storing their malicious files on Cloudflare (who aggressively blocked their accounts), the group behind the campaign have moved to using the Binance Smart Chain (BSC) to host their payload.

The move to hosting on a blockchain allows the group to exploit their publicly available and immutable nature, to avoid any takedowns. The technique uses the cost-free smart contract debugging feature to deliver the payload via a process intended for debugging contract execution issues to deliver the obfuscated payload. Actors using this technique will still have to contend with WordPress site takedowns, but this certainly makes their lives easier.

Attacks / Threats

[US] Okta Breach, loses $2 billion in mark capitalisation.

US identity and access management giant Okta saw their market cap drop by $2 billion dollars overnight in October when they revealed that malicious actors had gained access to their support system containing client files.

Initial ingress is believed to be tied to an Okta employee who had saved credentials from a shared service account into their browser’s password manager that was synced to their breached personal Gmail account. The malicious actor used the shared service account to access the Okta client support portal, where they were able to capture HTTP archive (HAR) files, which were used to access client accounts. HAR files are collected as part of Okta’s troubleshooting process, and if not sanitised, contain full session tokens, which can be used to bypass MFA.

BeyondTrust (a privileged identity management provider) who have a product with a direct integration into Okta, first notified Okta in early October after noticing strange activity against one of their accounts. Luckily for BeyondTrust, the account had additional security controls in place, and in this case their managed device requirement against the account blocked access. The compromise was raised to Okta on October 2nd but did not receive acknowledgement from Okta until the 19th when they were notified as an impacted party of the breach after Okta had completed their investigation.

Not mentioned in any report, was the MFA status of the breached service account, indicating that it may have lacked this control completely. This highlights an ongoing issue we have seen in the market, a lack of a convenient solution for shared account MFA, especially in small to medium size enterprises.

[Global] Palestine Cryptocurrency Donation Scams

As we saw during the early months of the war in Ukraine, scammers have been quick to jump on the humanitarian crisis to make some easy money. Hundreds of email campaigns and posts across social media have been identified, asking for donations towards the victims of the crisis in the Middle East, providing a crypto wallet address to collect the donations.

The scams range from attempts to impersonate real charities to generic low-quality, made-up charities. The spam emails have been noted to use synonym text variations to avoid spam filters. As with most scams of this nature, these campaigns will target and be effective against older and/or less wary users.

[US] BlackCat Claim Attack on Henry Schein

The BlackCat/ALPHV ransomware group has claimed to have lifted a staggering 35 TB of data from healthcare solutions giant Henry Schein in a ransomware attack. The organisation was forced to take some of its core systems offline and engage cybersecurity and forensic experts, while BlackCat released hints that the data included internal payroll and shareholder information.

Two weeks after the initial attack, BlackCat re-encrypted some of the company’s systems claiming a negotiation breakdown – indicating that BlackCat had maintained some level of access during the response effort. The re-encryption caused an additional two weeks of outages, and their e-Commerce platform is still offline a month after the attack. The removal of Henry Schein data from the BlackCat ransomware site since the re-encryption may indicate that negotiations are back underway, or a ransom may have been paid.

[Global] $4.4 Million Stolen in One Day – LastPass Breach Update

Security researchers tracking LastPass breach activity have linked the theft of $4.4 million in cryptocurrency in a single day to the use of private keys and passphrases stolen in the LastPass breach in late 2022. This finding was independently verified by multiple security groups researching the breach. While the number of victims who can trace their credentials back to LastPass make it clear that the stolen LastPass vaults have been decrypted, we are yet to see any attacks beyond cryptocurrency theft be definitively linked to the LastPass breach.

The advice remains the same, any credentials stored on LastPass prior to the breach must be updated with immediacy – especially when the plaintext fields indicate they are tied to crypto.

[Europe] Meta Banned from Targeted Advertising

A temporary ban imposed by the Norwegian Data Protection Authority in July has been extended by the European Data Protection Board to cover the European Economic Area. The ban applies specifically to Facebook and Instagram, who use posted information, user preferences and location data to build advertising profiles for users – a technique known as behavioural advertising.

In 2022 alone, Meta was forced to pay over $700 million in fines, due to various breaches of the General Data Protection Regulation (GDPR) and were found to have not demonstrated compliance with the orders imposed in these cases. Although Meta has indicated that they would implement a system to allow users to consent for their data to be used in behavioural advertising, they have yet to roll this out.

[Global] Mozi Botnet Takedown

Cybersecurity researchers at ESET discovered that a kill command had been distributed to the Mozi botnet after noticing a sharp decrease in activity. Active since 2019, the Mozi botnet consisted of IoT devices, located primarily in India and China. The takedown remains a mystery, with no parties claiming responsibility leading to speculation that it may have been taken down by choice, or by the Chinese government.

The team at ESET were able to locate the takedown payload from a UDP message on an infected device. The takedown payload mirrored others typically used in botnet takedowns, utilising the same self-propagation to spread to infected machines, then ending malicious processes, disabling abused system services and ports (such as SSH), and deleting the original payload.