Top resources for Cybersecurity Awareness Month

Welcome to this week's edition of the Threat Source newsletter.

I didn't feel like I wanted to write anything special or witty this week given the current events in Israel and the Gaza Strip, but I will certainly advocate for any assistance readers would like to provide to the various organizations and helpers who are trying to do some good for Israeli and Palestinian civilians right now.

And since it's still Cybersecurity Awareness Month, I also wanted to provide some links to various resources, blog posts and podcasts that I've found particularly helpful this month and I think you will, too.

• Countering the Rise of Ransomware (Cisco YouTube)
• Talos APJC Threat Update: How attackers are using AI
• The New Normal: How XDR is Tackling Social Engineering in Today's World (Cisco Secure blog)
• CISA's Secure Our World initiative
• Allied Against Hate: CISA resources for faith and community leaders
• Fact sheet: Improving Security of Open Source Software in Operational Technology and Industrial Control Systems

The one big thing

Many of the world's largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record. CVE-2023-44487, a vulnerability in the HTTP/2 protocol, was recently used to launch intensive DDoS attacks against several targets. The problem lies in the way that HTTP/2 protocol handles request cancellations or resets. When a client issues a reset for an HTTP/2 request, this consumes resources on the server as it cancels the corresponding stream. However, after issuing a reset, the client can instantly open a new stream.

Why do I care?

Google said the attack in August was the heaviest DDoS assault it ever recorded at over 398 million requests per second, which the company said is more than seven times larger than any other its ever recorded. So, the sheer scale is certainly notable. If this type of attack was launched with a much larger botnet, the traffic volume could be orders of magnitude greater and have a much larger potential impact. As such, organizations are urged to patch or mitigate as quickly as possible.

So now what?

Users of any products using the vulnerable protocol – individual companies like F5 and Microsoft have released individual advisories about anything that was affected – should make sure patches are implemented immediately. However, this issue is largely about appropriate DDoS mitigation techniques on your environment. A newly released Snort rule, SID 62519, can detect activity associated with this vulnerability.

Top security headlines of the week

Attackers have published the personal information of almost one million people who have Ashkenazi Jew heritage after the adversaries breached genetic testing service 23AndMe. The list allegedly includes full names, sex and 23AndMe's data on where their ancestry stems from. As of Wednesday morning, the company was still investigating the attackers' claims but assumed it was authentic. Customers can learn more about their family's heritage by providing identification data, health information, phenotype, photos and more to 23AndMe. A security researcher said the information looked authentic, and that it's a sign that a data breach can be dangerous, even if attackers don't end up manually breaking into a deeper layer of the network. (The Record by Recorded Future 23andMe scraping incident leaked data on 1.3 million users of Ashkenazi and Chinese descent)

**Microsoft patched more than 100 vulnerabilities in its range of products as part of its monthly security update.**This batch included two zero-day vulnerabilities that had already been exploited in the wild and nine critical issues in the Layer 2 tunneling protocol. Meanwhile, Apple also released a security update Tuesday to fix two critical vulnerabilities in its iOS mobile operating system that were also being exploited in the wild. CVE-2023-42724 in iOS and iPadOS, has been exploited by attackers to elevate their access on a local device. Back on the Microsoft side, the company also used Patch Tuesday as an opportunity to fix security holes in their products related to the high-profile HTTP/2 protocol used to launch massive, distributed denial-of-service (DDoS) attacks earlier this year. (Talos, Krebs on Security)

The International Committee of the Red Cross published new guidelines this week, hoping hacktivist groups will follow during wartime to avoid affecting critical infrastructure and everyday civilians. An increasing number of civilian hackers have become involved in international conflicts hoping to make a difference, especially in the Russia-Ukraine war and now again in Israel. The Red Cross' new guidelines urge these groups and individuals to obey national laws, if appropriate, and follow the same set of rules for kinetic warfare that international humanitarian law (IHL) provides, and which are aimed at safeguarding "civilians, and soldiers who are no longer able to fight, from some of the horrors of war." Some of the objectives put forth include not targeting civilian objectives, deploying any malware that may target military and civilian targets indiscriminately and adhering to these rules even if the enemy does not. (Washington Post, SecurityWeek).

Can't get enough Talos?

• Talos Takes Ep. #157: Cybersecurity Awareness Month: The best practices for implementing multi-factor authentication
• Qakbot hackers now pushing Cyclops/Ransom Knight ransomware, Cisco says
• Qakbot hackers are still spamming victims despite FBI takedown
• Qakbot Attackers Remain Alive and Quacking, Researchers Find
• Researcher Spotlight: How looking at decades of spam led Jaeson Schultz from Y2K to the metaverse and cryptocurrency
• Vulnerability Roundup: 10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflow

Upcoming events where you can find Talos

ATT&CKcon 4.0** (Oct. 24 - 25)**

_McLean, Virginia _

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in "One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK." Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

misecCON** (Nov. 17)**

_Lansing, Michigan _

> Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines.

Most prevalent malware files from Talos telemetry over the past week

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 **MD5:**7bdbd180c081fa63ca94f9c22c457376 **Typical Filename: **c0dwjdi6a.dll **Claimed Product:**N/A Detection Name: Trojan.GenericKD.33515991

SHA 256: d5219579eec1819d52761730a72ce7a95ee3f598fcfd9a4b86d1010ea103e827 **MD5:**bf357485cf123a72a46cc896a5c4b62d **Typical Filename:**bf357485cf123a72a46cc896a5c4b62d.virus **Claimed Product:**N/A **Detection Name: **W32.Auto:d5219579ee.in03.Talos

SHA 256: 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa **MD5:**9403425a34e0c78a919681a09e5c16da **Typical Filename:**vincpsarzh.exe **Claimed Product:**N/A **Detection Name: **Win.Dropper.Scar::tpd

SHA 256: 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440 **MD5:**ef6ff172bf3e480f1d633a6c53f7a35e **Typical Filename:**iizbpyilb.bat **Claimed Product:**N/A Detection Name: Trojan.Agent.DDOH

SHA 256: 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa **MD5: **e9a6b1346d1a2447cabb980f3cc5dd27 **Typical Filename:**профиль 10 класс.exe **Claimed Product:**N/A Detection Name: Application_Blocker