Red Hat Security Advisory 2024-1444-03 - An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1444.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: nodejs:16 security updateAdvisory ID:        RHSA-2024:1444-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1444Issue date:         2024-03-21Revision:           03CVE Names:          CVE-2023-44487====================================================================Summary: An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es):* nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)* nodejs: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://bugzilla.redhat.com/show_bug.cgi?id=2242803https://bugzilla.redhat.com/show_bug.cgi?id=2264574

Red Hat Security Advisory 2024-1444-03

By Deeba Ahmed
Apex Legends Global Series Thrown into Chaos as Hackers Invade Live Finals!
This is a post from HackRead.com Read the original post: Pro Players Hacked Live On Stream! Apex Legends Tournament Postponed

Two esports players were hacked during a live-streamed game, causing the Apex Legends Global Series tournament to be postponed.

On Sunday night, EA and Respawn’s shooter game Apex Legends was disrupted by a hacking incident, causing the Apex Legends Global Series tournament to be postponed. The players were competing in the popular shooter game having a $5 million prize pool.

The incident occurred during a live-streamed game, where Apex pro player Noyan “Genburten” Ozkose reported his game being hacked and hijacked to deploy cheats. The player complained about the activation of cheats like wallhacks, which provided the compromised account with an unfair advantage over legitimate players.

During the livestream, Genburten yelled he was “getting hacked” when a cheat program’s settings menu appeared. Genburten’s screen also displayed an aimbot, gun recoil reducer, and autofire feature, with a box indicating “vote Putin.”

Soon after hacking, the perpetrators displayed the following message:

“Apex hacking global series, by Destroyer2009 &R4andom.”

Apparently, the hackers used a cheat program to deploy “wall hacks” or visibility hacks, allowing them to see all other players. 

In another Apex Legends match, a player named ImperialHal faced a similar incident. On their X account, the player noted getting an “aimbot,” which is a common cheating technique allowing players to hit any player without actually aiming at them. 

This led to the tournament organizers suspending and postponing the North American tournament, causing concern among players.

“Due to the competitive integrity of this series being compromised, we have made the decision to postpone the finals at this time. We will share more information soon,” Apex Legends Esports posted on their official X account.

The cause of the incident remains unclear, as Electronic Arts, publisher of Apex Legends, and Genburten and ImperialHal have not provided any more details. It was speculated that it could have been an RCE exploit or remote code execution attack. However, Easy Anti-Cheat, the game’s anti-cheat solution, maintains that its software remains secure with no known vulnerabilities.

“We are confident that there is no RCE vulnerability within EAC being exploited,” Easy Anti-Cheat confirmed.

A video showing this incident was posted on X and shared on multiple YouTube channels. The video shows Genburten seeing other players highlighted on the map, even behind walls, and through in-game obstacles before a window appears with a menu for cheats called “TSM HALAL HOOK.”

Respawn Entertainment, the developer behind Apex Legends, is currently investigating the situation. The exploitation during a major tournament raises doubts about current measures and the future of competitive gaming. Respawn’s investigation is needed to restore trust and ensure tournament integrity.

This is not the first time that a gaming tournament has gone through cybersecurity-related issues. In January 2022, cybercriminals managed to carry out successful DDoS attacks on a Minecraft event that crippled the internet of Andorra, a country based in Europe.

1.  **Online gaming and protection against cyber attacks**
2.  **Minecraft declared the most malware-infected game**
3.  **Modern Gaming Sucks Because of Abundance Fatigue**
4.  **EA Sports down – Gaming giant hit by massive DDoS attacks**
5.  **Gcore Thwarts 500 Million PPS DDoS Attack on Gaming Form**

Pro Players Hacked Live On Stream! Apex Legends Tournament Postponed

By Waqas
Another day, another malware threat emerges in a country already at war.
This is a post from HackRead.com Read the original post: New AcidRain Linux Malware Variant “AcidPour” Found Targeting Ukraine

SentinelLabs researchers have discovered “AcidPour,” a variant of the AcidRain Linux malware targeting Linux systems in Ukraine. This new strain expands on its predecessor and poses a risk to users.

Researchers at SentinelLabs have uncovered a new variant of the Acid Rain malware, dubbed “Acid Pour,” which has emerged in Ukraine. The discovery was made over the weekend, with J. A. Guerrero-Saade, AVP of SentinelLabs, sharing insights via X (formally Twitter).

The original AcidRain malware surfaced in March 2022, notably used during the ‘Viasat hack,’ which disrupted KA-SAT Surfbeam2 modems at the onset of the Russian invasion of Ukraine.

> It's been an interesting weekend! Eagle-eyed @TomHegel spotted what appears to be a new variant of AcidRain. Notably this sample was compiled for Linux x86 devices, we are calling it 'AcidPour'. Those of you that analyzed AcidRain will recognize some of the strings. Analysis 🧵 pic.twitter.com/wY3PJKaOwK
> 
> — J. A. Guerrero-Saade (@juanandres\_gs) March 18, 2024

TomHegel, Principal Threat Researcher at SentinelLabs, identified the new variant, compiled specifically for Linux x86 devices. While AcidPour shares similarities with AcidRain in certain strings, it separates significantly in its codebase, compiled for x86 architecture rather than MIPS.

It is worth noting that popular Linux distros for x86 devices include Ubuntu, Mint, Fedora, and Debian. On the other hand, MIPS (Microprocessor without Interlocked Pipelined Stages) is a type of instruction set architecture (ISA), which essentially defines the language a processor understands and uses to execute instructions. Similar to x86, it’s a set of rules and specifications for how a processor operates.

AcidRain operated as a generic wiper, targeting common directories and device paths on embedded Linux distros. AcidPour, however, introduces new elements, referencing Unsorted Block Images (UBI) and virtual block devices associated with Logical Volume Manager (LVM), suggesting a potential expansion of targets beyond previous iterations.

Despite the similarities, there are notable differences, including a distinct wiping logic for devices like LVMs, indicating a potentially evolved strategy by threat actors. The good news is that SentinelLabs has raised awareness of AcidPour among stakeholders in Ukraine, although the specific targets and scope of the operation remain unclear.

The discovery goes on to show how fast malware threats are evolving, with attackers adapting their tactics to exploit vulnerabilities in various systems. From the perspective of an unsuspecting user or an organization in the business, both must keep an eye on cybersecurity threats like AcidRain and AcidPour.

Begin by prioritizing training for yourself and your employees, as phishing attacks act as a primary gateway for malware infection. Consider leveraging AI-powered chatbots such as ChatGPT or Gemini AI to compile a concise yet essential guide outlining preventive measures against phishing, malware, ransomware, and data breaches.

1.  Someone DDoSed Ukraine’s national postal service for 48 hours
2.  DDoS Attack and Data Wiper Malware hit Computers in Ukraine
3.  Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine
4.  ‘Destructive malware’ fakes ransomware to target Ukrainian orgs
5.  Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

New AcidRain Linux Malware Variant “AcidPour” Found Targeting Ukraine

By Waqas
Cyber Warfare Takes Flight: Geopolitics Fuel Attacks on Airlines - Dark Web Tool Aims at E-commerce!
This is a post from HackRead.com Read the original post: Dark Web Tool Arms Ransomware Gangs: E-commerce & Aviation Industries Targeted

Cybersecurity researchers have published two concerning reports where the first report highlights the surge in cyber attacks against the aviation and aerospace industries – And the second report exposes a dark web tool called TMChecker fueling attacks against E-commerce platforms.

Recent cyber incidents targeting the aerospace and aviation sectors have raised concerns about the industry’s vulnerability to malicious attacks, according to a report by Resecurity. The report highlights the critical need for strong cybersecurity risk assessments to protect airports and aviation infrastructure.

The aerospace sector, including the design, manufacturing, and maintenance of aircraft and spacecraft, has become a prime target for cyberattacks due to its reliance on interconnected digital infrastructures and global supply chains.

The integration of Industrial Internet of Things (IIoT) technologies has further strengthened this threat, making aerospace organizations more vulnerable and susceptible to cyber attacks.

Credit: Resecurity

****Ransomware Attacks & The Aviation Industry****

Ransomware emerges as a top threat facing the aviation industry, with a 600% increase in occurrences reported by Boeing Chief Security Officer Richard Puckett at the 2023 Aviation Week MRO Americas Conference.

The European Organisation for the Safety of Air Navigation (Eurocontrol) also highlighted ransomware as the sector’s leading attack trend in 2022, accounting for 22% of all malicious incidents. Some of the examples highlighted in the report include the LockBit ransomware gang’s attack on Boeing in November 2023, which the aviation giant later confirmed.

****Geopolitical tensions & The Aviation Industry****

According to Resecurity’s blog post titled “The Aviation And Aerospace Sectors Face Skyrocketing Cyber Threats,” geopolitical tensions and the designation of aerospace and aviation as critical infrastructure by the U.S. government have fueled cyberattacks targeting the industry.

Threat actors, including hacktivist collectives, are increasingly targeting aviation organizations to advance political agendas or disrupt operations. One such example is the hacktivist group Anonymous Sudan which targeted FlyDubai, an Emirati government-owned airline in Dubai, United Arab Emirates in February 2024 citing the company’s alleged support to the Rapid Support Forces (RSF) in Sudan.

Other recent cyberattacks targeting the aerospace sector include Distributed Denial of Service (DDoS) attacks by groups such as Mysterious Team Bangladesh (MTB) against Saudi Arabian airports and ALTOUFAN TEAM against Gulf Air.

> In stand with our steadfast Palestinian people in Gaza Strip in their brave and honorable resistance,ALTOUFAN TEAM targets companies normalized with the Zionist entity , Bahrain International Airport and the Bahraini national carrier “Gulf Air” servers and website…… pic.twitter.com/OKOhR12M3S
> 
> — ALTOUFAN TEAM (@altoufanteam) November 22, 2023

Additional incidents involve ransomware attacks on airlines like Air Albania and Continental Aerospace Technologies, compromising critical data and disrupting operations.

**T**MChecker – Dark Web Tool Targeting Remote Access and E-Commerce Platforms****

In another report published on March 13, 2024, Resecurity detailed a new cybersecurity threat named TMChecker that has surfaced on the Dark Web, posing a notable risk to remote-access services and popular e-commerce applications.

Developed by an actor known as “M762” on the Russian language XSS cybercrime forum, TMChecker is a sophisticated tool that combines corporate access login (log) checking capabilities with a brute-force attack kit. Available for a monthly subscription fee of $200, TMChecker has garnered attention for its ability to target a wide range of VPN gateways, email servers, and e-commerce platforms.

Credit: Resecurity

TMChecker stands out from similar tools like ParanoidChecker due to its focus on corporate remote access gateways, which are often primary targets for ransomware attacks and other malicious activities. The tool supports 17 solutions, including Cisco VPN, Citrix VPN, Office 365, WordPress, Magento, and cPanel, among others, making it a versatile and powerful weapon.

Cybercriminals exploit TMChecker to identify compromised data containing valid credentials for corporate VPN and email accounts. In one observed incident, threat actors used TMChecker to target the email server of a government organization in Ecuador, demonstrating the tool’s real-world impact.

M762 operates a Telegram channel with over 3,270 subscribers, potentially indicating a sizable user base for TMChecker. The addition of such tools aligns with a concerning trend highlighted in recent Microsoft research, which noted a significant increase in human-operated ransomware attacks.

These attacks often involve the abuse of remote monitoring and management tools, leaving behind less evidence compared to automated attacks delivered through malicious documents.

As TMChecker and similar tools lower the barriers to obtaining remote access credentials, the risk of destructive ransomware attacks and other malicious campaigns amplifies. This threat is particularly acute in the context of mergers and acquisitions, where cybercriminals target vulnerable organizations to exploit for financial gain.

1.  Cl0p ransomware gang hits Aviation giant Bombardier
2.  Hackers Uncover Airbus EFB App Flaws, Risking Aircraft Data
3.  Israeli: Hackers Targeted EL AL Flights in Mid-Air Hijack Attempt
4.  Military Satellite Access Sold on Russian Hacker Forum for $15,000
5.  Hackers posing as LinkedIn recruiters to scam military, aerospace firms

Dark Web Tool Arms Ransomware Gangs: E-commerce & Aviation Industries Targeted

By Deeba Ahmed
Mikhail Vasiliev, a Russian-Canadian citizen faces four years in a Canadian prison and is likely to be extradited to the US after completing his sentence.
This is a post from HackRead.com Read the original post: LockBit Affiliate Sentenced to 4 Years in Canada, Faces Extradition

Mikhail Vasiliev was also fined $860,000 for his involvement in the LockBit gang’s attacks. This case highlights the international effort to combat cybercrime and the severe consequences awaiting perpetrators.

A Russian-Canadian citizen, Mikhail Vasiliev, has been sentenced to nearly four years in prison for his involvement in the notorious **LockBit ransomware operation**. Vasiliev will also pay $860,000 in restitution to his Canadian victims.

Vasiliev’s lawyer reportedly argued that he turned to cybercrime due to financial difficulties during the **COVID-19 pandemic**.  However, Justice Michelle Fuerst rejected this justification, calling Vasiliev a _Cyber Terrorist_ whose actions were motivated by _greed_ and his crimes were “_far from_ _victimless crimes_.”

Investigations revealed Vasiliev’s role as a key member of the LockBit ransomware gang, involved in a significant number of cyberattacks with ransom demands ranging between €5m-€70 million. Vasiliev took responsibility for his actions, as confirmed by his lawyer Louis Strezos.

Vasiliev, 34, was arrested in October 2022 from his residence in Bradford, Ontario where he had moved from Moscow 20 years ago. He pleaded guilty in February 2024 to stealing victims’ computer data and using it for extortion.

Moreover, according to Canadian media **reports**, he admitted targeting at least three Canadian organizations, encrypting their data, and seeking ransom payments between 2021-2022, making $100 million in ransom demands for the gang from around 1,000 cyberattacks on victims in the U.S. and globally,

Vasiliev primarily targeted businesses in Saskatchewan, Montreal, and Newfoundland. His attacks likely caused significant disruptions and financial losses to the targeted businesses.

In November 2022, the US Department of Justice announced separate charges for his involvement in LockBit attacks. Vasiliev is set to be extradited to the U.S. for facing these additional charges

**LockBit, active since 2020**, operates under a ransomware-as-a-service (RaaS) business model, where affiliates exploit intrusions and deploy ransomware in exchange for some percentage of ransom payment.

In 2023, the gang gained significant profits from targeting companies like Boeing and Allen & Overy and exploited the **Citrix bleed security flaw** tracked as CVE-2023-4966 (CVSS score: 9.4).

LockBit’s infrastructure was **dismantled** by the law enforcement authorities in February 2024 as part of Operation Cronos with the seizure of 34 servers and 200 cryptocurrency accounts. Just a week after its seizure, LockBit **reemerged** with new leak sites, but RaaS is unlikely to recover. It claimed Operation Cronos was successful due to its negligence in updating PHP settings.

So far, Authorities have arrested six suspects in connection to LockBit, including Vasiliev, Ruslan Magomedovich Astamirov who was arrested **in June 2023**, two Russian nationals Artur Sungatov and Ivan Kondratyev, alias Bassterlord, and two others **arrested** in Ukraine and Poland.

Vasiliev’s potential extradition is a sign of growing international cooperation in combating cybercrime and serves as a warning to other gangs involved in such activities.

1.  Ragnar Locker Ransomware Dismantled, Key Suspect Arrested
2.  Alcasec Hacker, aka “Robin Hood of Spanish Hackers,” Arrested
3.  Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US
4.  LockBit ransomware blames victim for DDoS attack on its website
5.  Multimillion-Dollar Vishing Scam Busted: Czech-Ukrainian Gang Arrested

LockBit Affiliate Sentenced to 4 Years in Canada, Faces Extradition

By Waqas
Another day, another cyber attack on a local council in England!
This is a post from HackRead.com Read the original post: Leicester City Council’s IT System and Phones Down Amid Cyber Attack

Leicester City Council grapples with a cyber attack, causing major disruption to residents. IT systems and phone lines remain down as authorities work to restore crucial services. Recovery is expected by midweek.

Leicester City Council continues to face disruption after a cyber attack forced them to shut down IT systems and phone lines last Thursday (March 7, 2024). While the nature of the attack remains undisclosed, officials are working alongside cybersecurity specialists and law enforcement to assess the damage and restore functionality.

“This incident highlights the growing vulnerability of local authorities to cyber threats,” said Richard Sword, strategic director of city developments and neighbourhoods at Leicester City Council. “Our priority is to minimize disruption to critical services and get our systems back online as swiftly as possible.”

The council anticipates a phased recovery process, prioritizing the restoration of essential services by midweek. Residents seeking urgent assistance can utilize the emergency phone lines established on the council’s website.

****Limited Services and Public Frustration****

The shutdown has caused significant inconvenience for residents. Essential services like council tax payments and license renewals are currently unavailable. Local Green Party councillor Patrick Kitterick expressed concern, stating the prolonged outage poses a serious challenge, especially considering the council’s role in civil emergency response.

****Ransomware Attack or Not?****

Since it’s not clear whether the incident was a ransomware attack or a DDoS attack, we reached out to William Wright, CEO of Closed Door Security, for his insights. Given the history of cyber attacks on local councils, William cautioned that this might turn out to be a costly and disruptive ransomware attack.

“We don’t know what type of attack Leicester City Council is suffering from but given the recent spate of ransomware attacks targeting public authorities, it’s likely to be ransomware,” William said.

He warned that the government must take action to tackle the vulnerable situation. “Earlier this week, the government responded to a report from a Parliamentary Committee on ransomware, which said it was not doing enough to keep the country safe from the threat, but the government didn’t agree with the findings, maybe this latest attack on Leicester City Council will act as a wake-up call.”

****Further Developments Expected****

Leicester City Council is expected to provide updates on the situation as progress is made. Residents are encouraged to visit the council’s website for the latest information and alternative contact methods.

This attack comes amidst a concerning trend targeting local government bodies across the UK. The incident also goes on to show the need for basic cybersecurity measures including employee training to protect critical infrastructure from sophisticated cyber threats.

1.  Freecycle Data Breach Impacts 7 Million Users
2.  UK Power and Data Manufacturer Volex Hit by Cyberattack
3.  Anonymous Sudan DDoS Attack on London Internet Exchange
4.  Hackers Attack UK’s Nuclear Waste Services Through LinkedIn
5.  Contractor Database Leaks Irish Police Vehicle Seizure Records

Leicester City Council’s IT System and Phones Down Amid Cyber Attack

By Deeba Ahmed
In June 2023, Xplain, a Swiss IT services provider, fell victim to a cyberattack claimed by the Play ransomware group.
This is a post from HackRead.com Read the original post: Xplain Hack Aftermath: Play Ransomware Leaks Sensitive Swiss Government Data

The Play ransomware group leaked around 65,000 documents belonging to the federal government, including classified documents and login credentials, which were published on its dark web leak site on 14 June 2023.

Following the cyberattack on Swiss IT service provider, Xplain, details of the leaked data have been disclosed in a press release from the Swiss National Center for Cybersecurity (NCSC) – The Federal Office for Cybersecurity (BACS) has also taken part in the investigation.

The department analyzed the data leaked stolen by the Play ransomware group from Xplain, which is a “major provider of IT services to national and cantonal authorities,” the department confirmed.

****Background****

Back in May 2023, hackers exploited a vulnerability to target Xplain servers hosting applications for cantonal services, blocking access until a key or unblocking tool is sent in exchange for ransom. The attack, carried out by the Play ransomware group, had far-reaching consequences, impacting the Federal Office of Police, the Federal Office of Customs and Border Protection, Swiss Federal Railways and Aargau cantonal authorities.

In June 2023, Swiss federal government websites and the Swiss Federal Railways’ online portal were targeted in DDoS attacks, causing several websites to be unavailable. The finance ministry reported on 12 June 2023 that a pro-Russian group, “NoName,” claimed responsibility for the attack on its Telegram channel and that no data was lost in the attack. This group was also involved in the attack on the Swiss parliament website earlier in June 2023.

The Play ransomware group leaked around 65,000 documents belonging to the federal government, including classified documents and login credentials, which were published on its dark web leak site on 14 June 2023.

As per NCSC’s press release published earlier today, the BACS then took over the coordination of incident response within the federal administration and analysis of leaked data. A policy strategy crisis team was formed on 28 June and an administrative investigation was launched officially on 23 August to find out details of data leak at Xplain.

Official dark web leak site on the Play ransomware group (Screenshot: Hackread.com)

****Report Details****

The BACS emphasized that the report focuses on data types and analysis challenges, not the content of leaked data. Around 70% (around 47,413) of files belong to Xplain and 14% (9,040) to the Federal Administration.  Hackers have leaked 95% of the 9040 files belonging to the Swiss federal government, mainly from the Federal Department of Justice and Police, Federal Office of Justice, Federal Office of Police, State Secretariat for Migration, and ISC-FDJP. 

Around half of the Federal Administration’s files contain sensitive content like personal data, technical information, classified information, and passwords, with 4,779 files containing personal data, and 278 files containing technical information. 121 objects were dubbed classified under the Information Protection Ordinance with 4 of them containing readable passwords.

The department aims to collaborate with authorities and Xplain to address potential consequences. This investigation is expected to be completed in March 2024.

****About Play Ransomware Group****

The Play ransomware group is believed to be based in Russia and is responsible for around 300 successful attacks on businesses and critical infrastructure in North America, South America, and Europe from June 2022 to October 2023. The group uses a double extortion model, ranging from unauthorized access to external services like RDP and VPN.

1.  Ransomware Attack Disrupts Services in 18 Romanian Hospitals
2.  LockBit Ransomware Gang Returns, Taunts FBI, Vows Data Leaks
3.  LoanDepot Ransomware Attack Leads to Data Breach; 17M Impacted
4.  Schneider Electric Energy Giant Confirms Cactus Ransomware Attack
5.  TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware

Xplain Hack Aftermath: Play Ransomware Leaks Sensitive Swiss Government Data

By Deeba Ahmed
Another day, another Linux malware!
This is a post from HackRead.com Read the original post: New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps

Linux Users Beware: “Spinning YARN” Malware Campaign Targets Misconfigured Servers Running on Apache Hadoop YARN, Docker, Confluence and Redis.

Cado Security Labs has discovered an emerging Linux malware campaign dubbed Spinning Yarn targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, and Redis web-facing services. 

The emergence of the new Linux malware shouldn’t come as a surprise, given the recent surge in threats targeting Linux devices and servers. Just a couple of days ago, an old Linux malware known as Bifrost RAT resurfaced with a new variant that mimics VMware domains.

According to Cado Security’s research research shared with Hackread.com ahead of publication on Wednesday, Spinning Yarn is a malicious campaign that exploits weaknesses in popular Linux software used by businesses across various sectors. 

These services are crucial components in organizations’ IT infrastructure. Docker is critical for developing, deploying, and managing containerized applications. Apache Hadoop allows distributed processing of large datasets. Redis, a widely used in-memory data store, helps in caching real-time applications, and Confluence allows collaboration and knowledge management.

By compromising these applications, attackers can gain unauthorized access to systems, steal sensitive data, disrupt operations, or deploy ransomware, posing a significant threat to servers and critical infrastructure.

In Spinning Yarn, threat actors have used several unique payloads, including four Golang binaries that automate the discovery and infection of hosts and let them exploit code. They use Confluence to exploit common misconfigurations and vulnerabilities, launching Remote Code Execution (RCE) attacks and infecting new hosts.

The attackers exploit CVE-2022-26134, an n-day vulnerability in Confluence, and deploy a container for the Docker compromise. The vulnerability has been exploited since 2022, including by Mirai malware variant V3G4 against IoT devices for DDoS attacks

Further probing revealed a series of shell scripts and standard Linux attack techniques used to deliver a cryptocurrency miner, spawn a reverse shell, and enable persistent access to compromised hosts. They also deploy an instance of the Platypus open-source reverse shell utility to maintain access.

In an attempt to evade detection, multiple user-mode rootkits are deployed. Researchers observed that the shell script payloads employed in this campaign share similarities with those used in previous cloud attacks.

In their blog post, Cado Security Labs detailed initial access activity on a docker Engine API honeypot on this IP address: 47966971. The attacker spawned a new container using Alpine Linux and created a bind mount for the underlying server’s root directory. This technique is common in Docker attacks, allowing attackers to write files to the host and execute a job for the Cron scheduler eventually achieving RCE.

In this campaign, the attacker wrote an executable and registered a Cron job to execute base64-encoded shell commands. Such extensive attack on Linux applications demonstrates attackers’ growing sophistication in targeting web-facing services in cloud environments, keeping abreast of vulnerabilities.

To mitigate the risks from campaigns like Spinning Yarn, regularly update software, enable strong passwords, educate employees on cybersecurity best practices, segment your network to limit potential damage, and deploy security solutions like endpoint security solutions and firewalls to detect and prevent malware infections. This will help protect against known vulnerabilities and ensure a secure environment.

1.  New Linux Malware “Migo” Exploits Redis for Cryptojacking
2.  Free Download Manager Site Pushed Linux Password Stealer
3.  Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack
4.  Hamas Hackers Hit Israelis with New BiBi-Linux Wiper Malware
5.  Mirai-based NoaBot Botnet Hits Linux Systems with Cryptominer

New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps

By Waqas
Logged out of your Meta Platform services?
This is a post from HackRead.com Read the original post: Meta Platforms Face Outage: Facebook, Instagram, Messenger, Threads Down

You are not alone, Facebook, Instagram, Messenger and Threads are down worldwide.

Users of Meta Platforms’ services, including Facebook, Instagram, Messenger, and Threads, are currently experiencing difficulties accessing their accounts. Reports indicate a widespread outage impacting individuals globally.

Starting around 4:30 PM GMT, a surge in user reports on Downdetector, a platform tracking online outages, signaled login issues across all four platforms. Users attempting to log in have encountered error messages, with some being logged out unexpectedly. The problem appears to be affecting users on both desktop and mobile applications.

Instagram error (screenshot: Hackread.com)

Meta Platforms has yet to acknowledge the outage on its official communication channels officially, but it’s expected that the company is actively investigating the cause of the issue.

The full extent of the outage remains unclear, but it’s evident that it’s not limited to just Facebook. Downdetector is currently swamped with user reports for all four affected platforms, suggesting a significant disruption to Meta’s services.

Here’s what we know so far:

*   **The outage began around 4:30 PM GMT.**
*   **Both desktop and mobile platforms seem to be affected.**
*   **Meta Platforms has not yet officially acknowledged the issue.**
*   **Users across the globe are facing problems accessing Facebook, Instagram, Messenger, and Threads.**

This is a developing story, and we will update this article as more information becomes available. We advise users to monitor Meta’s official channels for further updates and avoid attempting repeated logins to prevent potential account security issues.

1.  Video Chat Website Omegle Permanently Shuts Down
2.  ChatGPT Down? Anonymous Sudan Claims Responsibility
3.  ChatGPT Down? OpenAI Blames Outages on DDoS Attacks

Meta Platforms Face Outage: Facebook, Instagram, Messenger, Threads Down

Red Hat Security Advisory 2024-0269-03 - An update for run-once-duration-override-container, run-once-duration-override-operator-bundle-container, and run-once-duration-override-operator-container is now available for RODOO-1.1-RHEL-9. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0269.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Run Once Duration Override Operator for Red Hat OpenShift 1.1.0 for RHEL 9  
Advisory ID:        RHSA-2024:0269-03  
Product:            Run Once Duration Override Operator  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0269  
Issue date:         2024-02-28  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

An update for run-once-duration-override-container, run-once-duration-override-operator-bundle-container, and run-once-duration-override-operator-container is now available for RODOO-1.1-RHEL-9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Run Once Duration Override Operator for Red Hat OpenShift is an optional  
operator that makes it possible to override activeDeadlineSecondsOverride  
field during pod admission.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)

* golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2253193  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://issues.redhat.com/browse/OCPBUGS-25123  
https://issues.redhat.com/browse/WRKLDS-897

Tag

#ddos