WEEKLY TOP TEN: October 7, 2024, 16:00 GMT
- When CUPS Runneth Over: The Threat of DDoS
Last week a new RCE vulnerability was discovered in Linux CUPS (Common Unix Printing System). Researchers at Akami have found a new use case for abusing this vulnerability, by using it for DDoS attacks. One single packet sent to a vulnerable CUPS service is the only requirement to stage this attack. This attack has already been seen in the wild, as CloudFlare reported on the largest recorded DDoS attack on October 3rd. The attack clocked in at 3.8 Tbps of data and lasted over a minute. - Critical Flaw in NVIDIA Container Toolkit Allows Full Host Takeover
NVIDIA has released a patch this week for its Container Toolkit, addressing a container escape attack. The vulnerability allows for full control of a host system. NVIDIA Container Toolkit is widely used for AI-focused platforms and cloud environments. While the full details are being withheld, the attack is possible due to a lack of isolation from the containerized GPU from the host. Versions before 1.16.2 are impacted. - Critical Zimbra RCE Flaw Exploited to Backdoor Servers Using Emails
A flaw in Zimbra email servers allows remote code execution when emails are sent to the SMTP server. The exploit is simple; commands entered in the CC field are executed when the email is processed. Proofpoint has already observed exploitation in the wild, with threat actors dropping shells via curl. Zimbra has patched and recommends updating to version 9.0.0 Patch 41 or later. - Perfctl: A Stealthy Malware Targeting Millions of Linux Servers
Perfctl is a Linux cryptominer and rootkit that infects Linux servers through multiple vulnerabilities or misconfigurations. Perf is a Linux utility and ctl indicates a command line tool; the name allows the malware to appear legitimate. Servers running a vulnerable version of RocketMQ are targeted. The attack chain is complex, once dropped perfctl will install rootkits, a c2 beacon, and a monero cryptominer. - WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks
A new XSS WordPress LiteSpeed vulnerability (CVE-2024-47374) has been disclosed. The vulnerability allows for HTTP requests to perform privilege escalation. The plugin does not sanitize the “X-LSCACHE-VARY-VALUE” HTTP header, allowing for code stored in that header to be executed by the server. LiteSpeed has fixed the vulnerability as of version 4.7.8. - Ransomware Groups Demystified: CyberVolk Ransomware
Researchers at Rapid7 have released a new report that documents the tactics and techniques of hacktivist turned ransomware group CyberVolk. CyberVolk started as a political hacktivist group but has recently pivoted to ransomware. The group has been seen targeting entities in Spain with ransomware and DDoS attacks. Technical analysis from Rapid7 on the CyberVolk ransomware reveals some flaws in the decryption process. Despite these flaws, CyberVolk will continue to refine its techniques. - Probing Slack Workspaces for Authentication Information and other Treats
A new report by PaperMtn reveals how an unauthenticated user can probe for sensitive information from any Slack workspace. Slack is a popular cloud-based team communication platform, and is widely used throughout many industries. The report explains that the workspace URL is the only information required to extract data from Slack. Sending an HTTP GET request to the URL returns data about the workspace, such as whether MFA is enabled, and the approved domains. Notably, an attacker can access the workspace when an approved domain is either a free service or an expired domain. - Draytek Fixed Critical Flaws in Over 700,000 Exposed Routers
DrayTek has released security patches for 24 router models, fixing 14 vulnerabilities. Included is a fix for FSCT-2024-0006, a buffer overflow vulnerability with a CVSS score of 10.0. Shodan shows that there are approximately 785,000 vulnerable routers and most of them expose their web interface to the internet. DrayTek users are advised to update their routers and disable the remote access console if it is not being used. - Stay Safe This Prime Day: Check Point Identifies Rise in Phishing Attacks and Scam Emails
Amazon Phishing campaigns are ramping up as we head towards Black Friday and “Prime Day”. Research from CheckPoint has identified more than 1000 new Amazon domains registered in the last 30 days, with 88% being malicious. CheckPoint has also noticed an increase in phishing emails related to “Prime”; these emails request updated payment methods or to pay to continue membership. Phishing emails can appear identical to official Amazon communication, always double-check links and the sender before entering sensitive information. - Fake Browser Updates Spread Updated Warmcookie Malware
Threat actor group SocGolish has been distributing a backdoor named WarmCookie. The campaign is dubbed ‘FakeUpdate’ as the malware is spread through malicious domains such as “edgeupdate” and “mozilaupgrade”. These domains have been crafted to appear legitimate to untrained users who will assume they need to update their browsers or applications. They contain legitimate looking update installers, which drop the WarmCookie malware.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: