Brief #21: Record Breaking DDoS Attack, Curl Vulnerability

TL;DR

Unprecedented Scale: The HTTP/2 Rapid Reset attack has set new records for DDoS attacks, peaking at 398 million requests per second (RPS) on Google's network. Cloudflare reported an attack three times larger than their previous record, reaching 201 million RPS.
Exploitation Technique: Attackers abuse the HTTP/2 feature called "stream cancellation." They send a request and then immediately cancel it, overwhelming servers. This method is highly efficient, requiring only a small botnet to launch massive attacks.
Industry Response: Cloudflare, Google, and AWS have implemented additional mitigations. They've also coordinated disclosure to web server vendors, who are working on patches. The vulnerability is tracked as CVE-2023-4487 with a high severity rating.
Mitigation and Risk: Any server or application running the standard implementation of HTTP/2 is at risk. Immediate action is recommended: apply vendor patches and consider using DDoS mitigation services.

Tactics and Tools: AvosLocker uses a mix of open-source and legitimate software for attacks. Notable utilities include AnyDesk for remote access, Cobalt Strike for command and control, and Mimikatz for credential theft.
Stealth and Movement: The ransomware employs "living-off-the-land" tactics, using native Windows tools like PSExec and custom PowerShell scripts for lateral movement and privilege escalation.
Double Extortion: AvosLocker not only encrypts files but also exfiltrates them, adding a layer of extortion. The group uses custom web shells and batch scripts to disable security measures.
Defensive Measures: The FBI and CISA recommend network segmentation, limiting remote desktop services, and implementing multi-factor authentication as key defensive strategies.

Hex IP Evasion: Shellbot now uses hexadecimal IP addresses to dodge URL-based detection. This change allows it to infiltrate Linux SSH servers more stealthily.
Attack Vector: Shellbot compromises servers with weak SSH credentials through dictionary attacks. Once in, it can launch DDoS attacks or deploy crypto miners.
Curl Compatibility: The malware leverages the curl utility's ability to support hexadecimal IPs, making it easier to download and execute on Linux systems.
Defense Measures: To fend off Shellbot, admins should use strong passwords and rotate them regularly. This simple step can significantly reduce the risk of compromise.

End of an Era: Microsoft is phasing out VBScript, a 27-year-old scripting language. It will soon be a "feature on demand" before being removed entirely from future Windows releases.
Security Implications: The move is likely a security measure. VBScript has been a popular tool for cybercriminals, used in malware like Lokibot, Emotet, and Darkgate.
Impact on Admins: System administrators who relied on VBScript for task automation will need to transition to alternatives like PowerShell. This could be a challenging shift for some.
Legacy Systems: VBScript is still in use in various environments. Its removal could affect legacy systems and tools like Microsoft Deployment Toolkit, which depends on VBScript.

Heap-Based Buffer Overflow: CVE-2023-38545 is a high-severity flaw affecting libcurl and the curl tool. It can be triggered during a slow SOCKS5 proxy handshake. The flaw could lead to data corruption and, in worst cases, arbitrary code execution.
Cookie Injection Flaw: CVE-2023-38546 is a less severe issue affecting only libcurl. It allows an attacker to insert cookies into a running program under specific conditions.
Exploitation Complexity: Despite the hype, exploiting these vulnerabilities is not straightforward. For the buffer overflow to be triggered, a slow SOCKS5 connection and specific hostname conditions must be met.
Patch and Upgrade: Curl version 8.4.0 has patches for both vulnerabilities. Immediate upgrade is advised, especially for applications that depend on older versions of libcurl.