Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.
Get the scoop before it's too late!
⚡ Threat of the Week
Double Trouble: Evil Corp & LockBit Fall: A consortium of international law enforcement agencies took steps to arrest four

Cybersecurity / Weekly Recap

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.

Get the scoop before it's too late!

****⚡ Threat of the Week****

**Double Trouble: Evil Corp & LockBit Fall:** A consortium of international law enforcement agencies took steps to arrest four people and take down nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation. In tandem, authorities outed a Russian national named Aleksandr Ryzhenkov, who was one of the high-ranking members of the Evil Corp cybercrime group and also a LockBit affiliate. A total of 16 individuals who were part of Evil Corp have been sanctioned by the U.K.

  
****🔔 Top News****

*   **DoJ & Microsoft Seize 100+ Russian Hacker Domains:** The U.S. Department of Justice (DoJ) and Microsoft announced the seizure of 107 internet domains used by a Russian state-sponsored threat actor called COLDRIVER to orchestrate credential harvesting campaigns targeting NGOs and think tanks that support government employees and military and intelligence officials.
*   **Record-Breaking 3.8 Tbps DDoS Attack:** Cloudflare revealed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds. The attack is part of a broader wave of over a hundred hyper-volumetric L3/4 DDoS attacks that have been ongoing since early September 2024 targeting financial services, Internet, and telecommunication industries. The activity has not been attributed to any specific threat actor.
*   **North Korean Hackers Deploy New VeilShell Trojan:** A North Korea-linked threat actor called APT37 has been attributed as behind a stealthy campaign targeting Cambodia and likely other Southeast Asian countries that deliver a previously undocumented backdoor and remote access trojan (RAT) called VeilShell. The malware is suspected to be distributed via spear-phishing emails.
*   **Fake Trading Apps on Apple and Google Stores:** A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims as part of what's called a pig butchering scam. The apps are no longer available for download. The campaign has been found to target users across Asia-Pacific, Europe, Middle East, and Africa. In a related development, Gizmodo reported that Truth Social users have lost hundreds of thousands of dollars to pig butchering scams.
*   **700,000+ DrayTek Routers Vulnerable to Remote Attacks:** As many as 14 security flaws, dubbed DRAY:BREAK, have been uncovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices. The vulnerabilities have been patched following responsible disclosure.

****📰 Around the Cyber World****

*   **Salt Typhoon Breached AT&T, Verizon, and Lumen Networks:** A Chinese nation-state actor known as Salt Typhoon penetrated the networks of U.S. broadband providers, including AT&T, Verizon, and Lumen, and likely accessed "information from systems the federal government uses for court-authorized network wiretapping requests," The Wall Street Journal reported. "The hackers appear to have engaged in a vast collection of internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers."
*   **U.K. and U.S. Warn of Iranian Spear-Phishing Activity:** Cyber actors working on behalf of the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) have targeted individuals with a nexus to Iranian and Middle Eastern affairs to gain unauthorized access to their personal and business accounts using social engineering techniques, either via email or messaging platforms. "The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials," the agencies said in an advisory. "Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors."
*   **NIST NVD Backlog Crisis - 18,000+ CVEs Unanalyzed:** A new analysis has revealed that the National Institute of Standards and Technology (NIST), the U.S. government standards body, has still a long way to go in terms of analyzing newly published CVEs. As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed, VulnCheck said, adding "46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD (compared to 50.8% as of May 19, 2024)." It's worth noting that a total of 25,357 new vulnerabilities have been added to NVD since February 12, 2024, when NIST scaled back its processing and enrichment of new vulnerabilities.
*   **Major RPKI Flaws Uncovered in BGP's Cryptographic Defense:** A group of German researchers has found that current implementations of Resource Public Key Infrastructure (RPKI), which was introduced as a way to introduce a cryptographic layer to Border Gateway Protocol (BGP), "lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges." These vulnerabilities range from denial-of-service and authentication bypass to cache poisoning and remote code execution.
*   **Telegram's Data Policy Shift Pushes Cybercriminals to Alternative Apps:** Telegram's recent decision to give users' IP addresses and phone numbers to authorities in response to valid legal requests is prompting cybercrime groups to seek other alternatives to the messaging app, including Jabber, Tox, Matrix, Signal, and Session. The Bl00dy ransomware gang has declared that it's "quitting Telegram," while hacktivist groups like Al Ahad, Moroccan Cyber Aliens, and RipperSec have expressed an intent to move to Signal and Discord. That said, neither Signal nor Session support bot functionality or APIs like Telegram nor do they have extensive group messaging capabilities. Jabber and Tox, on the other hand, have already been used by adversaries operating on underground forums. "Telegram's expansive global user base still provides extensive reach, which is crucial for cybercriminal activities such as disseminating information, recruiting associates or selling illicit goods and services," Intel 471 said. Telegram CEO Pavel Durov, however, has downplayed the changes, stating "little has changed" and that it has been sharing data with law enforcement since 2018 in response to valid legal requests. "For example, in Brazil, we disclosed data for 75 legal requests in Q1 (January-March) 2024, 63 in Q2, and 65 in Q3. In India, our largest market, we satisfied 2461 legal requests in Q1, 2151 in Q2, and 2380 in Q3," Durov added.

**🔥 **Cybersecurity Resources & Insights****

*   **LIVE Webinars**
    *   **Modernization of Authentication: Passwords vs Passwordless and MFA:** Are you sure your passwords are enough? Discover the truth about passwordless tech and how MFA can protect you in ways you didn't even know you needed. Join our webinar to get ahead of the next big shift in cybersecurity.
*   **Ask the Expert**
    *   **Q: How can organizations reduce compliance costs while strengthening their security measures?**
    *   **A:** You can reduce compliance costs while strengthening security by smartly integrating modern tech and frameworks. Start by adopting unified security models like NIST CSF or ISO 27001 to cover multiple compliance needs, making audits easier. Focus on high-risk areas using methods like FAIR so your efforts tackle the most critical threats. Automate compliance checks with tools like Splunk or IBM QRadar, and use AI for faster threat detection. Consolidate your security tools into platforms like Microsoft 365 Defender to save on licenses and simplify management. Using cloud services with built-in compliance from providers like AWS or Azure can also cut infrastructure costs. Boost your team's security awareness with interactive training platforms to build a culture that avoids mistakes. Automate compliance reporting using ServiceNow GRC to make documentation easy. Implement Zero Trust strategies like micro-segmentation and continuous identity verification to strengthen defenses. Keep an eye on your systems with tools like Tenable.io to find and fix vulnerabilities early. By following these steps, you can save on compliance expenses while keeping your security strong.
*   **Cybersecurity Tools**
    *   **capa Explorer Web** is a browser-based tool that lets you interactively explore program capabilities identified by capa. It provides an easy way to analyze and visualize capa's results in your web browser. capa is a free, open-source tool by the FLARE team that extracts capabilities from executable files, helping you triage unknown files, guide reverse engineering, and hunt for malware.
    *   **Ransomware Tool Matrix** is an up-to-date list of tools used by ransomware and extortion gangs. Since these cybercriminals often reuse tools, we can use this info to hunt for threats, improve incident responses, spot patterns in their behavior, and simulate their tactics in security drills.

****🔒 Tip of the Week****

**Keep an "Ingredients List" for Your Software:** Your software is like a recipe made from various ingredients—third-party components and open-source libraries. By creating a **Software Bill of Materials (SBOM)**, a detailed list of these components, you can quickly find and fix security issues when they arise. Regularly update this list, integrate it into your development process, watch for new vulnerabilities, and educate your team about these parts. This reduces hidden risks, speeds up problem-solving, meets regulations, and builds trust through transparency.

****Conclusion****

Wow, this week really showed us that cyber threats can pop up where we least expect them—even in apps and networks we trust. The big lesson? Stay alert and always question what's in front of you. Keep learning, stay curious, and let's outsmart the bad guys together. Until next time, stay safe out there!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats and Trends (Sep 30 - Oct 6)

A foreign government is believed to have hacked into the Dutch police force’s systems, exposing the contact details…

A foreign government is believed to have hacked into the Dutch police force’s systems, exposing the contact details of nearly 63,000 officers. The attack has raised serious concerns about cybersecurity and state-sponsored hacking.

A foreign government is believed to have hacked into the Dutch police force’s systems, exposing the contact details of nearly 63,000 officers. The attack reportedly took place on September 26, 2024.

The cyberattack on the Dutch police force was a sophisticated operation that targeted a specific police account. The attackers were able to exploit vulnerabilities in the system to gain access to the work-related contact details of nearly all Dutch police officers. While the exact method used by the hackers remains undisclosed, it is clear that they were highly skilled and well-prepared.

The hackers gained access to sensitive information including names, emails, phone numbers, private details of some, and ‘work related’ data. While the Dutch government has not publicly identified the perpetrators, intelligence agencies have concluded that a state actor was likely behind the attack.

“The police have been informed by the intelligence services that it is very likely a ‘state actor’, in other words: another country or perpetrators on behalf of another country,” stated Politie (national Dutch police). 

The hack against the Dutch Police is noteworthy, as this is not a typical event. The agency is recognized globally for its high-profile actions and proactive stance against cybercrime. Some of its notable operations include seizing the infamous dark web drug and data marketplace HANSA, shutting down Raid Forums and Breach Forums, EncroChat, and targeting DDoS-for-hire sites, among others.

The stolen information could potentially be used to target officers, their families, or informants. The Dutch police immediately investigated the breach, enlisting the help of internal cyber specialists and national security partners. The investigation is ongoing, and the police have not yet publicly attributed the attack to a specific country or actor.

According to Justice and Security Minister David van Weel, the hack impacted (PDF) nearly all police officers in the Netherlands, leading to widespread unrest among officers, particularly those involved in covert operations. The stolen information has not yet been leaked online, but the chief of police and security services are taking the incident seriously. 

The Netherlands Police Union chair, Nine Kooiman, called the hack a ‘nightmare,’ urging for prompt identification of the perpetrators. Nevertheless, the incident highlights the growing threat posed by state-sponsored cyberattacks. As countries increasingly rely on online infrastructure, the need for strong cybersecurity defences has never been more urgent.

1.  Database Leak Exposes 500K Irish Police Vehicle Seizure Records
2.  Data Leak Exposes 500GB of Indian Police, Military Biometric Data
3.  Police lose evidence to Ryuk ransomware attack; suspects walk free
4.  Dutch Man Deployed Stuxnet via Water Pump to Disable Iran’s Nukes
5.  Chinese Hackers Infiltrate Dutch Defense Networks with Coathanger RAT

Dutch Police Hacked, 63,000 Officers’ Details Exposed

Internet infrastructure provider Cloudflare fends off a massive 3.8 Tbps DDoS attack, surpassing the previous record. Learn how…

Internet infrastructure provider Cloudflare fends off a massive 3.8 Tbps DDoS attack, surpassing the previous record. Learn how Cloudflare’s advanced security measures protected its customers from this unprecedented cyber threat.

Internet infrastructure provider Cloudflare has successfully repelled a massive distributed denial-of-service (DDoS) attack that reached a staggering 3.8 terabits per second (Tbps) and 2.14 billion packets per second (PPS), confirmed the company’s CEO, Matthew Prince. This unprecedented assault surpasses the previous record of 3.47 Tbps DDoS attack with a packet rate of 340 million PPS encountered by Microsoft in November 2021.

> Not all records you’re happy about breaking: @Cloudflare recently mitigated the largest ever reported hyper-volumetric #DDoS attack. 3.8 terabits per second (Tbps) and 2.14 billion packets per second (Bpps). Handled automatically any without any customer impact. Details to come. pic.twitter.com/SuHZsqCEFV
> 
> — Matthew Prince 🌥 (@eastdakota) October 1, 2024

The attack was part of a month-long hacking campaign that began in early September 2024. These attacks, designed to overwhelm a website or app with internet traffic, aimed to force Cloudflare’s customers offline. Over 100 volumetric DDoS attacks were launched during this period, with many exceeding 3 Tbps and mainly originating from Vietnam, Russia, Brazil, Spain, and the US.

The hackers utilized a botnet consisting of hijacked internet devices, including Asus and MikroTik routers, DVRs, and web servers. 

“The high bitrate attacks appear to originate from a large number of compromised ASUS home routers, likely exploited using a CVE 9.8 (Critical) vulnerability that was recently discovered by Censys,” Cloudflare researchers noted.

The botnet leveraged the User Datagram Protocol (UDP) to generate massive amounts of traffic, overwhelming Cloudflare’s targets. The attacks were primarily focused on volumetric L3/4 DDoS, which aims to exhaust a target’s bandwidth and resources. The target was a customer of an unnamed hosting provider.

While the attacks were severe, Cloudflare was able to mitigate them without significant disruption to its customers. Cloudflare’s global network of individual servers and advanced traffic analysis systems were instrumental in mitigating the record-breaking attack. The company’s ability to distribute incoming traffic and filter out malicious data flow enabled it to effectively defend its customers. 

The DDoS campaign targeted various industries, including finance, internet, and telecommunications. The company’s strong network and defence systems ensured that most customers experienced minimal downtime or service degradation.

The threat actors behind the campaign exploited hijacked internet devices, such as routers, DVRs, and web servers, to form a botnet. This botnet leveraged the User Datagram Protocol (UDP) to generate massive amounts of traffic, overwhelming Cloudflare’s targets.

Despite Cloudflare’s successful defence of this record-breaking DDoS attack, the incident highlights the growing sophistication of cyber threats and the importance of adopting reliable internet infrastructure.

The development of new attack techniques and accessible tools makes it easier for attackers to launch large-scale attacks. As online services continue to expand, the need for advanced security measures to protect against such attacks becomes increasingly critical.

1.  Cloudflare thwarts largest reported HTTP DDoS attack
2.  Microsoft Azure customer hit by 2.4 Tbps DDoS attack
3.  Record-Breaking DDoS Attack Against European Firm Mitigated
4.  Kaspersky Reveals Alarming IoT Threats, Dark Web DDoS Boom
5.  Google, Cloudflare, AWS Disclose Largest DDoS Attack in History

Cloudflare Mitigates Record Breaking 3.8 Tbps DDoS Attack

Cloudflare has disclosed that it mitigated a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds.
The web infrastructure and security company said it fended off "over one hundred hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second (Bpps) and 3 terabits per second (

Cloudflare has disclosed that it mitigated a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds.

The web infrastructure and security company said it fended off "over one hundred hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second (Bpps) and 3 terabits per second (Tbps)."

The hyper-volumetric L3/4 DDoS attacks have been ongoing since early September 2024, it noted, adding they targeted multiple customers in the financial services, Internet, and telecommunication industries. The activity has not been attributed to any specific threat actor.

The previous record for the largest volumetric DDoS attack hit a peak throughput of 3.47 Tbps in November 2021, targeting an unnamed Microsoft Azure customer in Asia.

The attacks leverage the User Datagram Protocol (UDP) protocol on a fixed port, with the flood of packets originating from Vietnam, Russia, Brazil, Spain, and the U.S. These include compromised MikroTik devices, DVRs, and web servers.

Cloudflare said that the high bitrate attacks are likely emanating from a large botnet comprising infected ASUS home routers that are exploited using a recently disclosed critical flaw (CVE-2024-3080, CVSS score: 9.8).

According to statistics shared by attack surface management firm Censys, a little over 157,000 ASUS router models were potentially affected by the vulnerability as of June 21, 2024. A majority of these devices are located in the U.S., Hong Kong, and China.

The end goal of the campaign, per Cloudflare, is to exhaust that target's network bandwidth as well as CPU cycles, thereby preventing legitimate users from accessing the service.

"To defend against high packet rate attacks, you need to be able to inspect and discard the bad packets using as few CPU cycles as possible, leaving enough CPU to process the good packets," the company said.

"Many cloud services with insufficient capacity, as well as the use of on-premise equipment, are not sufficient to defend against DDoS attacks of this size, since the high bandwidth utilization that can clog up Internet links and due to the high packet rate that can crash in-line appliances."

Banking, financial services, and public utilities are a hot target for DDoS attacks, having experienced a 55% spike over the past four years, per network performance monitoring company NETSCOUT. In the first half of 2024 alone, there has been a 30% increase in volumetric attacks.

The surge in frequency of DDoS attacks, primarily due to hacktivist activities targeting global organizations and industries, have also been coupled by the use of DNS-over-HTTPS (DoH) for command-and-control (C2) in an effort to make detection challenging.

"The trend of implementing a distributed botnet C2 infrastructure, leveraging bots as control nodes, further complicates defense efforts because it's not just the inbound DDoS activity but also the outbound activity of bot-infected systems that need to be triaged and blocked," NETSCOUT said.

The development comes as Akamai revealed that the recently disclosed Common UNIX Printing System (CUPS) vulnerabilities in Linux could be a viable vector for mounting DDoS attacks with a 600x amplification factor in mere seconds.

The company's analysis found that more than 58,000 (34%) out of the roughly 198,000 devices that are accessible on the public internet could be enlisted for conducting DDoS attacks.

"The problem arises when an attacker sends a crafted packet specifying the address of a target as a printer to be added," researchers Larry Cashdollar, Kyle Lefton, and Chad Seaman said.

"For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target. As a result, not only is the target affected, but the host of the CUPS server also becomes a victim, as the attack consumes its network bandwidth and CPU resources."

It's estimated that there are about 7,171 hosts that have CUPS services exposed over TCP and are vulnerable to CVE-2024-47176, Censys said, calling it an underestimate owing to the fact that "more CUPS services seem to be accessible over UDP than TCP."

Organizations are advised to consider removing CUPS if printing functionality isn't necessary and firewall the service ports (UDP/631) in cases where they're accessible from the broader internet.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cloudflare Thwarts Largest-Ever 3.8 Tbps DDoS Attack Targeting Global Sectors

Several of the flaws enable remote code execution and denial-of-service attacks while others enable data theft, session hijacking, and other malicious activity.

Source: PeterPhoto123 via Shutterstock

Potentially tens of thousands of DrayTek routers, including models that many businesses and government agencies use, are at heightened risk of attack via 14 newly discovered firmware vulnerabilities.

Several of the flaws enable denial-of-service and remote code execution (RCE) attacks, while others allow threat actors to inject and execute malicious code into webpages and the browsers of users who visit compromised websites.

**A Wide Range of Flaws**

Two of the new flaws are critical, meaning they need immediate attention: CVE-2024-41592, a maximum-severity RCE bug in the Web UI component of DrayTek routers, and CVE-2024-41585, an OS command execution/VM escape vulnerability with a CVSS severity score of 9.1. Nine of the vulnerabilities are medium-severity threats, and three are relatively low-severity flaws. The vulnerabilities are present in 24 DrayTek router models.

Researchers at Forescout's Vedere Labs discovered the vulnerabilities during an investigation of DrayTek routers, prompted by what the security vendor described as signs of consistent attack activity targeting the routers and a rash of recent vulnerabilities in the technology.

They found over 704,000 Internet-exposed DrayTek routers — mostly in Europe and Asia — many of which likely contain the newly discovered vulnerabilities.

"Since 75% of these routers are used in commercial settings, the implications for business continuity and reputation are severe," Forescout researchers warned in a report that summarized the findings from their investigation, which they dubbed Dray:Break. "A successful attack could lead to significant downtime, loss of customer trust, and regulatory penalties, all of which fall squarely on a CISO's shoulders."

**Patching May Not Be Enough**

DrayTek has issued patches for all the vulnerabilities via different firmware updates. However, organizations should not stop with just applying the patches, says Daniel dos Santos, the head of security research at Forescout Vedere Labs. To lower risk from similar vulnerabilities in DrayTek routers in the future, security teams should also proactively implement longer-term mitigation measures, he adds. "Our report shows there's a long history of critical vulnerabilities affecting those routers, and many have been weaponized by botnets and other malware," he says. "Taking a proactive security approach ensures that even when new vulnerabilities are found, the risk to an organization will be low."

Attackers will likely find it relatively easy to find DrayTek routers that contain the new vulnerabilities using search engines such as Shodan or Censys, dos Santos says. But "exploitation is more difficult because we did not provide a detailed working proof-of-concept, only the overall description of the vulnerabilities," he adds. "If another researcher or an attacker builds and publishes a working exploit, then mass exploitation could happen — like how it has happened for other DrayTek CVEs in the past."

The mitigations that DrayTek and Forescout have recommended include disabling remote access if not needed, verifying that no unauthorized remote access profiles have been added, enabling system logging, and using only secure protocols such as HTTPS. Forescout also recommends that DrayTek customers ensure proper network visibility, change default configurations, replace end-of-life devices, and segment their networks.

**A Popular Attack Target**

The advice comes amid signs of growing threat actor activity — including by nation-state actors — targeting vulnerabilities in routers and other network devices from DrayTek and a variety of other vendors, including Fortinet, F5, QNAP, Ivanti, Juniper, and Zyxel.

In a September advisory, the FBI, the US National Security Agency, and Cyber National Mission Force warned of Chinese threat actors compromising such routers and Internet of Things devices in widespread botnet operations. "The actors may then use the botnet as a proxy to conceal their identities while deploying distributed denial-of-service (DDoS) attacks or compromising targeted US networks," the advisory warned. Two weeks prior to the advisory, the US Cybersecurity and Infrastructure Security Agency added two DrayTek vulnerabilities from 2021 (CVE-2021-20123 and CVE-2021-20124) to its known exploited vulnerabilities list citing active exploitation activity. In 2022, a critical RCE in DrayTek's Vigor brand of routers put numerous small and medium-size businesses at risk of zero-click attacks.

The relatively high number of critical vulnerabilities in DrayTek products in recent years is another concern because many organizations don’t appear to be addressing them quickly enough, Forescout said. The security vendor's report highlighted 18 vulnerabilities going back to 2020, most of which have near maximum severity scores of 9.8 on the CVSS scale. Yet 38% of more than 704,000 DrayTek devices that Forescout discovered didn't have patches for disclosed vulnerabilities from two years ago.

"Many organizations don't have the right level of visibility into unmanaged devices such as routers, so they may be unaware of these issues on their networks," dos Santos says. "They rely on endpoint telemetry and security agents to provide information about software versions and apply patches. But when it comes to firmware — which doesn't support agents — they might not know that vulnerabilities exist in their network or may not have manually applied the patches."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Thousands of DrayTek Routers at Risk From 14 Vulnerabilities

New Linux malware ‘Perfctl’ is targeting millions worldwide, mimicking system files to evade detection. This sophisticated malware compromises…

New Linux malware ‘Perfctl’ is targeting millions worldwide, mimicking system files to evade detection. This sophisticated malware compromises Linux servers, exploiting vulnerabilities for cryptomining and system resource hijacking.

Cybersecurity researchers at Aqua Nautilus have discovered a new Linux malware that has targeted millions worldwide, exploiting over 20,000 misconfigurations. The malware has been lurking for some time, but recently attacked a Nautilus honeypot, providing an opportunity to detect and examine this threat that can put any Linux server at risk.

According to Aqua Nautilus, this sophisticated Linux malware dubbed “perfctl” has been quietly targeting servers worldwide over the past few years. This highly persistent and evasive threat has been actively seeking vulnerabilities and misconfigurations to compromise systems.

The malware’s name comes from the cryptominer process, which drains system resources and causes significant issues for Linux developers. In the company’s technical research, shared exclusively with Hackread.com ahead of publishing on October 3 Thursday, there have been numerous incident reports and discussions in online communities pointing to the widespread prevalence of perfctl.

The malware’s impact has been felt across various developer forums, including Reddit, Stack Overflow, and others. “Usually in some of these posts, you can find replies with links to reports about the malware written by researchers. But in this case, however, none of these had links to such reports,” noted Assaf Morag and Idan Revivo in their research.

Another concerning trend highlighted by researchers is that Perfctl uses rootkits and evasion techniques to hide its presence from standard system tools and monitoring processes. It temporarily suspends its activities when new users log in, making it harder to detect. In addition, Perfctl uses Unix sockets for internal communication and the Tor network for external connections, making it difficult to track its activities.

The attack starts with the malware downloading a main payload from an attacker-controlled HTTP server controlled, named “httpd”. This payload has multiple layers of execution, ensuring persistence and evading detection. The malware copies itself to a new location, runs a new binary, terminates the original process, and deletes the initial binary.

It then executes the main payload under a different name, choosing the process’s name to appear less suspicious. The malware is executed by ‘sh’, changing its name from httpd to sh.

This malware gains persistence by self-replicating and using deceptive filenames that resemble legitimate system files. Perfctl copies itself to multiple locations on the disk, ensuring its survival even after system restarts or cleanups. 

Perfctl’s primary goal is cryptomining, using infected systems for cryptocurrency generation. It has also been observed engaging in proxy-jacking, and hijacking server resources for malicious purposes. Perfctl attempts to exploit the Polkit vulnerability (CVE-2021-4043) to gain root privileges, granting it greater access and control over the system.

Attack flow (Aqua Nautilus)

> _“Given the scale, we strongly believe the attackers targeted millions worldwide with a potential number of victims of thousands, it appears that with this malware any Linux server could be at risk.”_
> 
> Aqua Nautilus

Perfctl’s rootkit and evasion techniques make detection challenging, while its deceptive filenames and behaviour can make it appear legitimate. Its dynamic behaviour can also hinder detection efforts.

To protect your Linux systems from Perfctl, regularly update your operating system and software with the latest security patches, conduct vulnerability assessments, implement robust network security measures like firewalls and intrusion detection systems, monitor system activity for unusual behaviour, and use security tools like endpoint protection solutions.

1.  Telegram-Controlled TgRat Trojan Targets Linux Servers
2.  New Linux Malware “Migo” Exploits Redis for Cryptojacking
3.  Play Ransomware Variant Targeting Linux ESXi Environments
4.  Decade-Old Linux Vulnerability Used for DDoS Attacks on CUPS
5.  Mirai-based NoaBot Botnet Hits Linux Systems with Cryptominer

New Linux Malware ‘Perfctl’ Targets Millions by Mimicking System Files

All an attacker needs to exploit flaws in the Common Unix Printing System is a few seconds and less than 1 cent in computing costs.

Source: sofiacorte via Shutterstock

It turns out that remote code execution is not the only way attackers can leverage a critical set of four vulnerabilities that a researcher recently disclosed in the Common Unix Printing System (CUPS) for managing printers and print jobs.

The vulnerabilities apparently also enable adversaries to stage substantial distributed denial-of-service (DDoS) attacks in mere seconds and at a cost of less of than 1 cent, using any modern cloud platform.

**Large Number of Potential DDoS Attack Systems**

Some 58,000 Internet-exposed devices are currently vulnerable to the attack and can be relatively easily co-opted into launching an endless stream of attempted connections and requests at target systems. An attacker that corralled all 58,000 vulnerable hosts could send a small request to each vulnerable CUPS host and get them to direct between 1GB and 6GB of useless data at a target system.

"Although these bandwidth numbers may not be considered earth-shattering, they would still result in the target's need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario," researchers at Akamai said this week after discovering the new attack vector.

CUPS is an Internet Printing Protocol (IPP)-based open source printing system for Unix-like operating systems, including Linux and macOS. It provides a standard way for computers to manage printers and print jobs.

Independent security researcher Simone Margaritelli last week disclosed a serious flaw in CUPS that could allow an attacker to remotely execute malicious commands by manipulating URLs using a combination of four different vulnerabilities. The vulnerabilities are CVE-2024-47176 in "cups-browsed," a component for simplifying printer discovery and management in a network; CVE-2024-47076 in the "libcupsfilters" software library; CVE-2024-47175 in the "libppd" library; and CVE-2024-47177 in the "cups-filters" package.

Margaritelli described the vulnerabilities as affecting most GNU/Linux distributions, some BSDs, Oracle Solaris, potentially Google Chrome OS and Chromium, and other operating systems. "The short version of this exploit is that certain configurations of cups-browsed as well as associated CUPS libraries each have vulnerabilities that, put together, allow an attacker to execute arbitrary commands against a target system" and potentially gain control of it, open source and software bill of materials management vendor Fossa said in an analysis.

**All It Takes is a Single Packet**

Margaritelli's research focused on how attackers could leverage the vulnerabilities to take control of CUPS hosts. What Akamai discovered is that a threat actor could also use them for DDoS attacks. "The problem arises when an attacker sends a crafted packet specifying the address of a target as a printer to be added," Akamai said. "For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target." Akamai found that all it takes for someone to launch an attack is to send a single maliciously crafted packet to a vulnerable CUPS service with Internet connectivity.

Kyle Lefton, security researcher at Akamai, says that while the previously reported RCE exploit is more dangerous, the DDoS vulnerability is much easier for a threat actor to exploit. "It is likely that organizations may start seeing attacks leveraging this vulnerability, which causes issues for not just the targets of these DDoS attacks, but those running the vulnerable CUPS servers as well," he says. "The key takeaway here is to stress the importance of patching outdated CUPS systems, or applying other mitigation techniques, such as removing CUPS if deemed unnecessary, or applying firewall rules for UDP port 631 and keeping them from accessing the public Internet."

Akamai researchers discovered a total of 198,000 vulnerable CUPS hosts that are Internet accessible. Of those, 34%, or more than 58,000, are vulnerable to corralling for DDoS attacks. Akamai found that a threat actor could get these systems to start spewing out attack traffic by using a simple script to send a single malicious UDP packet to a vulnerable CUPS host. They found they could substantially amplify attack traffic volumes by padding — or adding extra and often irrelevant characters or data — to the URL payload.

Larry Cashdollar, principal security researcher at Akamai, says the vulnerability of a CUPS host to the DDoS attack really depends on its configuration. "It's possible that network administrators might have additional firewalls in place to block outbound traffic from the printers or that system administrators have done their hardening of the printer servers," on the other vulnerable hosts, Cashdollar says.

**Strain on Server Hardware**

Troublingly, although organizations running vulnerable CUPS systems may not be the target of DDoS attacks, the attacks themselves can put strain on the server hardware, Lefton adds. "We confirmed that some of these CUPS systems complete TLS handshakes to HTTPS protected websites, which creates further strain on server hardware and resource consumption overhead due to the handshake and encryption/decryption processing."

DDoS attacks, though well understood, continue to present a challenge for many organizations. Though many companies have implemented robust measures for protecting against DDoS attacks and mitigating fallout, the number of these attacks have only increased. Recent numbers from Cloudflare showed a 20% year-over-year increase in DDoS attacks; the company said it mitigated 8.5 million DDoS attacks just in the first six months of this year. Cloudflare attributed the trend at least partly to more threat actors gaining access to capabilities that once were available only to nation-state actors, thanks to the rise in generative AI (GenAI) tools and autopilot systems for writing attack code better and faster.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Unix Printing Vulnerabilities Enable Easy DDoS Attacks

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai,…

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai, can be exploited for additional malicious purposes, including RCE and DDoS attacks against the Common Unix Printing System (CUPS).

Hackread.com recently **reported** a critical Linux vulnerability, discovered by cybersecurity researcher Simone Margaritelli (aka **evilsocket**), which could allow attackers to gain complete control of GNU/Linux systems, potentially allowing Linux Remote code execution. This decade-old flaw affects all GNU/Linux systems and has a severity score of 9.9 out of 10, indicating immense potential for damage if exploited. 

As per the latest updates, new findings from Cloud computing giant, Akamai, and cybersecurity firm, Uptycs, highlight an even more immediate concern: exploiting the issue for devastating DDoS attacks and carrying out remote code execution (RCE) in Linux.

****Uptycs Research****

Uptycs threat research team **identified** vulnerabilities in CUPS (Common UNIX Printing System), which can be exploited to install malicious printers and execute unauthenticated remote code execution attacks. CUPS is a widely used open-source printing system for Linux and Unix-like operating systems, allowing users to share printers on a network and manage printing jobs. 

The vulnerability resides in the cups-browsed daemon, a component that searches for available network printers. An attacker can exploit this flaw by sending a malicious packet to a vulnerable CUPS service. This packet tricks the service into fetching a non-existent printer description file from a target server specified by the attacker.

According to researchers, attackers can create a malicious PPD file and send it to a vulnerable CUPS server, requiring the cups-browsed daemon to be enabled, UDP port 631 open, and the victim to print to the malicious printer.

****Akamai Research****

Researchers at Akamai SIRT (Security Incident Response Team) also discovered a flaw that allows attackers to exploit vulnerable CUPS servers and turn them into unwitting amplifiers for distributed- denial-of-service (DDoS) attacks, allowing attackers to exploit vulnerable servers and turn them into unwitting DDoS hosts.

According to the company’s **blog post** published on October 01, 2024, the attack involves misinterpreting a UDP packet, downloading malicious data, and establishing multiple TCP connections to a target system, potentially causing an outage. 

****The Scope of the Problem:****

*   Akamai identified over 198,000 internet-connected devices running CUPS.
*   Roughly 34% (over 58,000) of these devices were vulnerable to the attack.
*   Outdated CUPS versions (released as far back as 2007) were the most susceptible.
*   Testing revealed potential amplification factors of up to 600x, significantly increasing attack power.

The issues discussed in these reports are directly related to the Linux vulnerability discovered by Margaritelli because his identified vulnerability involves a remote code execution exploit chain that targets the Common Unix Printing System (CUPS).

This exploit chain leverages several vulnerabilities, including **CVE-2024-47175** (libppd), **CVE-2024-47176** (cups-browsed), **CVE-2024-47177** (cups-filters), and **CVE-2024-47076** (libcupsfilters).

To stay protected, install the latest version of CUPS and ensure all system components, such as libcupsfilters, libppd, and cups-filters, are updated. Disable or configure cups-browsed daemon, if printing isn’t essential, or restrict access to it to trusted devices. Strengthen network security with firewalls, intrusion detection systems, and IPS, and regularly review and update security policies.

1.  **Telegram-Controlled TgRat Trojan Targets Linux Servers**
2.  **Critical Flaws Found in GNU C Library, Major Linux Distros at Risk**
3.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw**
4.  **7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike**
5.  **9-year-old Windows flaw dropped ZLoader malware in 111 countries**

Decade-Old Linux Vulnerability Can Be Exploited for DDoS Attacks on CUPS

AFP news agency suffers a cyberattack disrupting its content delivery systems. News coverage continues as experts investigate, with…

AFP news agency suffers a cyberattack disrupting its content delivery systems. News coverage continues as experts investigate, with AFP urging partners to secure credentials and mitigate risks.

Agence France-Presse (AFP), one of the world’s leading news agencies, suffered a cyberattack that disrupted parts of its news delivery infrastructure. The attack, which took place on September 27, impacted AFP’s ability to distribute content to some of its clients. However, the agency assures that its core news reporting remains uninterrupted.

****The Cyberattack and Immediate Response****

The attack specifically targeted AFP’s IT systems, affecting some of the key delivery mechanisms that the agency uses to transmit content to its clients, including content delivery networks (CDNs) and file transfer services. Although the exact type of attack and the threat actors behind it remain unidentified, AFP said it has taken quick actions to restore full services.

According to AFP’s press release, French cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) was called in to aid in mitigating the impacts and securing the systems.

AFP’s technical teams have also identified that FTP credentials used by some clients to receive content might have been compromised during the incident. To address this, AFP has issued a cautionary alert to its partners, advising them to change their FTP passwords and ensure their reception systems are fully secure.

****Global News Coverage Remains Unaffected****

Despite the disruptions, AFP has made it clear that its editorial teams are operating without interruptions. The agency’s newsroom continues to report global events in multiple languages, including French, English, Arabic, and Spanish, ensuring the flow of news is not compromised. The incident specifically targets backend operations used for distribution rather than production, meaning AFP’s ability to gather and report news has not been impacted.

At this time, no group has claimed responsibility for the attack. However, France has experienced a series of high-profile cyberattacks throughout 2024, targeting healthcare providers to government services. This latest attack on AFP adds to a growing list of concerns regarding the online safety of French critical infrastructure, particularly in sensitive sectors like media.

1.  **FOX News Exposed 13 Million Sensitive Records Online**
2.  **DDoS Attacks Hit France Over Telegram’s Pavel Durov Arrest**
3.  **France’s largest newspaper exposed 8TB of data, 7.4B records**
4.  **France Weather Forecast Website Hacked By Anti-War Hackers**
5.  **Hackers Leak 221K User Data in Tech in Asia News Outlet Breach**

AFP News Agency’s Content Delivery Systems Hit by Cyberattack

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor.
This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis.
The attacks

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor.

This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis.

The attacks leverage Docker for initial access to deploy a cryptocurrency miner on compromised containers, while also fetching and executing additional payloads that are responsible for conducting lateral movement to related hosts running Docker, Kubernetes, or SSH.

Specifically, this involves identifying unauthenticated and exposed Docker API endpoints using Internet scanning tools, such as masscan and ZGrab.

On vulnerable endpoints, the Docker API is used to spawn an Alpine container and then retrieve an initialization shell script (init.sh) from a remote server ("solscan\[.\]live") that, in turn, checks if it's running as the root user and tools like curl and wget are installed before downloading the XMRig miner.

Like other cryptojacking campaigns, it makes use of the libprocesshider rootkit to hide the malicious miner process from the user when running process enumerating tools like top and ps.

The shell script is also designed to fetch three other shell scripts – kube.lateral.sh, spread\_docker\_local.sh, and spread\_ssh.sh – from the same server for lateral movement to Docker, Kubernetes, and SSH endpoints on the network.

Spread\_docker\_local.sh "uses masscan and zgrab to scan the same LAN ranges \[...\] for nodes with ports 2375, 2376, 2377, 4244, and 4243 open," the researchers said. "These ports are associated with either Docker Engine or Docker Swarm."

"For any IPs discovered with the target ports open, the malware attempts to spawn a new container with the name alpine. This container is based on an image named upspin, hosted on Docker Hub by the user nmlmweb3."

The upspin image is designed to execute the aforementioned init.sh script, thus allowing the group's malware to propagate in a worm-like fashion to other Docker hosts.

What's more, the Docker image tag that's used to retrieve the image from Docker Hub is specified in a text file hosted on the C2 server, thereby allowing the threat actors to easily recover from potential takedowns by simply changing the file contents to point to a different container image.

The third shell script, spread\_ssh.sh, is capable of compromising SSH servers, as well as adding an SSH key and a new user named ftp that enables the threat actors to remotely connect to the hosts and maintain persistent access.

It also searches for various credential files related to SSH, Amazon Web Services (AWS), Google Cloud, and Samba in hard-coded file paths within the GitHub Codespaces environment (i.e., the "/home/codespace/" directory), and if found, uploads them to the C2 server.

In the final stage, both the Kubernetes and SSH lateral movement payloads execute another shell script called setup\_mr.sh that retrieves and launches the cryptocurrency miner.

Datadog said it also discovered three other scripts hosted on the C2 server -

*   ar.sh, a variant of init.sh that modifies iptables rules and clears logs and cron jobs to evade detection
*   TDGINIT.sh, which downloads scanning tools and drops a malicious container on each identified Docker host
*   pdflushs.sh, which installs a persistent backdoor by appending a threat-actor-controlled SSH key to the /root/.ssh/authorized\_keys file

TDGINIT.sh is also notable for its manipulation of Docker Swarm by forcing the host to leave any existing Swarm it may be part of and add it to a new Swarm under the attacker's control.

"This allows the threat actor to expand their control over multiple Docker instances in a coordinated fashion, effectively turning compromised systems into a botnet for further exploitation," the researchers said.

It's currently not clear who is behind the attack campaign, although the tactics, techniques, and procedures exhibited overlap with those of a known threat group known as TeamTNT.

"This campaign demonstrates that services such as Docker and Kubernetes remain fruitful for threat actors conducting cryptojacking at scale," Datadog said.

"The campaign relies on Docker API endpoints being exposed to the Internet without authentication. The malware's ability to propagate rapidly means that even if the chances of initial access are relatively slim, the rewards are high enough to keep cloud-focused malware groups motivated enough to continue conducting these attacks."

The development comes as Elastic Security Labs shed light on a sophisticated Linux malware campaign targeting vulnerable Apache servers to establish persistence via GSocket and deploy malware families such as Kaiji and RUDEDEVIL (aka Lucifer) that facilitate distributed denial-of-service (DDoS) and cryptocurrency mining, respectively.

"The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels," researchers Remco Sprooten and Ruben Groenewoud said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ddos