By Waqas
While OracleIV is not a supply chain attack, it highlights the ongoing threat of misconfigured Docker Engine API deployments. 
This is a post from HackRead.com Read the original post: OracleIV DDoS Botnet Malware Targets Docker Engine API Instances

The OracleIV botnet malware employs various tactics, with a primary focus on executing DDoS attacks through UDP and SSL-based floods.

Cybersecurity researchers at Cado Security Labs have exposed a novel (Distributed Denial of Service) DDoS botnet malware dubbed OracleIV targeting publicly exposed Docker Engine API instances.

The findings were part of an investigation into a malicious campaign exploiting misconfigurations in Docker containers to deliver Python malware, compiled as an ELF executable.

Lately, Docker Engine APIs have been frequent targets of cybercriminals since the method has gained popularity due to the increasing adoption of microservice-driven architectures. Attackers exploit the unintentional exposure of the Docker Engine API, often scanning for vulnerable instances to deliver payloads with nefarious objectives.

In the case of the new OracleIV DDoS botnet malware, the attackers initiate access with an HTTP POST request to Docker’s API, specifically the /images/create endpoint. This triggers a docker pull command, fetching a specified image from Dockerhub. Once the malicious image is retrieved, a container is launched to carry out the attacker’s objectives.

Cado Security researchers uncovered a live Dockerhub page for an image named “oracleiv_latest” uploaded by the user “robbertignacio328832.” The image, seemingly harmless as a “Mysql image for docker,” included a malicious payload named “oracle.sh,” an ELF executable acting as a DDoS bot agent. Further analysis revealed additional commands to retrieve XMRig and a miner configuration file.

Static analysis of the executable exposed a 64-bit ELF compiled with Cython, confirming the OracleIV malware’s Python code origin. The malware code, succinct yet potent, contains various functions dedicated to different DDoS methods.

“This image was still live at the time of writing and had over 3,000 pulls,” researchers explained in a blog post. Additionally, it seems to be undergoing frequent updates, with the latest modifications pushed just three days prior to the publication of Cado’s blog.

Dockerhub page for oracleiv\_latest (Cado Security)

The bot connects to a Command and Control server (C2), performing basic authentication with a hardcoded password. Cado Security Labs monitored the botnet’s activity, witnessing DDoS attacks on various targets, primarily using UDP and SSL-based floods.

The C2 commands for initiating DDoS attacks follow a specific format, specifying attack type, target IP/domain, attack duration, rate, and target port. The botnet’s capabilities include UDP floods, SSL-based attacks, SYN floods, slowloris-style attacks, and protocol-specific floods targeting the FiveM server and Valve source engine.

While OracleIV is not a **supply chain attack**, it highlights the ongoing threat of misconfigured Docker Engine API deployments. The portability of containerization enables attackers to execute malicious payloads consistently across Docker hosts.

Although Cado Security has reported the malicious user to Docker, users are urged to conduct periodic assessments of pulled images from Dockerhub, emphasizing the need for vigilance against malicious code.

In conclusion, the OracleIV campaign highlights the importance of securing internet-facing services and implementing strong network defences. Users of Docker and similar services are encouraged to regularly review their exposure and take necessary precautions against potential cybersecurity threats.

****_RELATED ARTICLES_****

1.  **SSH Remains Most Targeted Service in Cado’s Cloud Threat Report**
2.  **Change your password: Docker suffers breach; 190k users affected**
3.  **Hackers Exploit Adobe ColdFusion Vulnerabilities to Deploy Malware**
4.  **Cryptomining and Malware Flourish on Misconfigured Kubernetes Clusters**
5.  **ShellTorch Attack Exposes Millions of PyTorch Systems to RCE Vulnerabilities**

OracleIV DDoS Botnet Malware Targets Docker Engine API Instances

Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition.

**Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack**

Moderate severity GitHub Reviewed Published Nov 13, 2023 to the GitHub Advisory Database • Updated Nov 14, 2023

GHSA-gw7g-qr8w-3448: Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-47163: Release v0.17.1 · remarshal-project/remarshal

IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  267484.

**Security Bulletin**

  

**Summary**

IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. Additionally, a cross site scripting issue was found. These have been addressed in the update.

**Vulnerability Details**

**CVEID:**   CVE-2020-22218  
**DESCRIPTION:**   libssh2 is vulnerable to a denial of service, caused by an out-of-bounds read in the \_libssh2\_packet\_add function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266252 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-20593  
**DESCRIPTION:**   AMD Ryzen, Gen AMD EPYC Processors could allow a local authenticated attacker to obtain sensitive information, caused by a use-after-free flaw in the vzeroupper instruction. By conducting a cache timing attack using a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive data used by other processes, such as passwords and encryption keys, at a rate of 30KB/sec from each CPU core.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261343 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

**CVEID:**   CVE-2023-35788  
**DESCRIPTION:**   Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by an off-by-one flaw in the fl\_set\_geneve\_opt fucntion. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges or cause a denial of service condition.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257458 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-44730  
**DESCRIPTION:**   Apache Batik is vulnerable to server-side request forgery, caused by improper input validation. By persuading a victim to open specially crafted SVG file, an attacker could exploit this vulnerability to conduct SSRF attack to probe user profile/data and send it directly as parameter to a URL.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264130 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-44729  
**DESCRIPTION:**   Apache Batik is vulnerable to server-side request forgery, caused by improper input validation. By persuading a victim to open specially crafted SVG file, an attacker could exploit this vulnerability to conduct SSRF attack to cause resource consumption and obtain sensitive information.  
CVSS Base score: 7.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264129 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)

**CVEID:**   CVE-2023-20900  
**DESCRIPTION:**   VMware Tools could allow a remote attacker to bypass security restrictions, caused by improper SAML token signature verification. By utilize man-in-the-middle attack techniques, an attacker could exploit this vulnerability to perform VMware Tools Guest Operations  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264792 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-3341  
**DESCRIPTION:**   ISC BIND is vulnerable to a denial of service, caused by a stack exhaustion flaw in control channel code. By sending a specially crafted message over the control channel, a remote attacker could exploit this vulnerability to cause named to terminate.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266515 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-3899  
**DESCRIPTION:**   Red Hat Enterprise Linux could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper authorization by the subscription-manager. By sending a specially crafted request through D-Bus interface com.redhat.RHSM1, an authenticated attacker could exploit this vulnerability to gain elevated privileges to an unconfined root.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264328 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-43057  
**DESCRIPTION:**   IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 4.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267484 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM QRadar SIEM

7.5 - 7.5.0 UP7

**Remediation/Fixes**

**IBM strongly encourages customers to update their systems promptly.**

**Product**

**Version**

**Remediation/First Fix**

IBM QRadar SIEM

7.5.0 

7.5.0 UP7 IF02

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

10 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"7.5.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2023-43057: Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities

Plus: A DDoS attack shuts down ChatGPT, Lockbit shuts down a bank, and a communications breakdown between politicians and Big Tech.

Drones, hidden cameras, thermal vision scopes—these are just a few examples of the high-tech equipment recommended by the animal liberation group Direct Action Everywhere, according to a manual released by the organization this week. The document, which was reviewed by WIRED, is a rare glimpse into how the organization is using tech to target factory farms in often brazen operations that have rescued pigs, goats, ducks, and chickens.

Extremist groups are experimenting with generative AI to flood social media with propaganda and misinformation, researchers at Tech Against Terrorism have told WIRED. A new report from the group details how, in recent months, terrorists and other extremist organizations have been using artificial intelligence to manipulate imagery and thwart content moderation. As platforms have struggled to keep up with this flood of extremist content, a new tool called Altitude, built in collaboration between Tech Against Terrorism and Google, is seeking to address the problem. The tool centralizes the collection of verified terrorist content, allowing companies to easily vet posts shared to their platforms.

Israel is exacerbating the humanitarian catastrophe in Gaza by likely imposing devastating internet blackouts in the region. Last week, Israel reportedly imposed a full internet shutdown in the area as its troops moved into the Gaza Strip. After internet access was restored, the area suffered two additional connectivity blackouts. The most recent lasted for about 15 hours on Sunday as Israel was carrying out an intense operation to cut off Gaza City in the north from southern Gaza.

In other infrastructure news, a report from the ​​cybersecurity firm Mandiant reveals that last year, the Russian military intelligence agency known as Sandworm carried out a power grid attack targeting a Ukrainian electric utility causing a blackout for Ukrainian civilians. According to the report, the cyberattack coincided with the start of a series of missile strikes targeting Ukrainian critical infrastructure across the country.

The third GOP presidential primary debate was livestreamed on Rumble, a YouTube alternative home to what the Southern Poverty Law Center says is one of America’s most notorious white nationalists, Nick Fuentes. Since the outbreak of the Israel-Hamas conflict last month, Fuentes has used his Rumble channel to push antisemitic hate speech and Holocaust denial conspiracies, racking up hundreds of thousands of views. Fuentes’ YouTube account was terminated in 2020 after Google demonetized it.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there

On Wednesday, you and everyone you know had trouble getting ChatGPT to ghostwrite their emails as developer OpenAI was hit by what it thought was a distributed denial-of-service attack. For nearly two hours, users who tried to access the chatbot were greeted with a message telling them “ChatGPT is at capacity right now.”

In a tweet, OpenAI CEO Sam Altman initially blamed its outage on a surge in interest in the platform's new features. By Wednesday night the company announced that the periodic outages were due to an “abnormal traffic pattern reflective of a DDoS attack.”

While it’s unclear who is behind the attack, a group known as Anonymous Sudan claimed responsibility on Wednesday, posting on Telegram that it had targeted OpenAI for "general biases towards Israel and against Palestine." OpenAI has since resolved the issue.

The US arm of the Industrial and Commercial Bank of China was hit by a ransomware attack that disrupted trades in the US Treasury market on Thursday. The bank appears to be the latest victim of the prolific ransomware gang known as Lockbit. According to the US Cybersecurity and Infrastructure Security Agency, Lockbit has hit 1,700 US organizations since 2020 and extorted more than $100 million in ransom demands. Last month it threatened Boeing with a leak of sensitive data.

"ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication," China's foreign ministry spokesperson Wang Wenbin said at a press conference.

Signal is beta testing usernames that will allow people to communicate using the encrypted service without exchanging phone numbers, further enhancing the app's privacy applications. The feature will go live in early 2024.

Support for usernames is a major step for the messaging service as Signal has apparently been working on the feature for years. Though accounts will still need to be associated with a phone number at setup, the introduction of usernames will allow users to connect without having to share it.

Cooperation between government, researchers, and tech companies aimed at countering disinformation online is evaporating thanks to a sustained campaign by US Republicans in the press, courts, and on Capitol Hill. Tech employees tell NBC the FBI has halted communications with social media firms about foreign influence campaigns, a move the FBI director attributed to a September ruling in the country's most conservative appellate court forbidding the government from "significantly" encouraging social media companies to remove misinformation.

“We’re having some interaction with social media companies,” FBI director Christopher Wray said in testimony last week to the Senate Homeland Security Committee. “But all of those interactions have changed fundamentally in the wake of the court rulings.”

According to NBC, all the FBI’s interactions with tech platforms now have to be supervised by Justice Department lawyers.

Signal Is Finally Testing Usernames

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.

CVE-2023-46849

Attacker can perform a Denial of Service attack to crash the ICAS 3 IVI ECU in a Volkswagen ID.3 (and other vehicles of the VW Group with the same hardware) and spoof volume setting commands to irreversibly turn on audio volume to maximum via REST API calls.


**Vulnerabilities in Volkswagen in-vehicle infotainment systems**

Attacker can perform a Denial of Service attack to crash the ICAS 3 IVI ECU in a Volkswagen ID.3 (and other vehicles of the VW Group with the same hardware) and spoof volume setting commands to irreversibly turn on audio volume to maximum via REST API calls.

**Demo Video Volume Manipulation**

**Demo Video IVI DoS**

CVE Record: https://nvd.nist.gov/vuln/detail/CVE-2023-6073

Discovered by Hannah Wieser, Jannis Hamborg, Timm Lauser, Thomas Schäfer, Christoph Krauß at the DEPARTMENT OF COMPUTER SCIENCE at h\_da Hochschule Darmstadt.

CVE-2023-6073: CVE-2023-6073: DoS and Control of Volume Settings for VW ID.3 ICAS3 IVI ECU - Automotive Security Research Group

IBM AIX's 7.3 Python implementation could allow a non-privileged local user to exploit a vulnerability to cause a denial of service.  IBM X-Force ID:  267965.

CVE-2023-45167

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-5954

**HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability**

Moderate severity GitHub Reviewed Published Nov 9, 2023 to the GitHub Advisory Database • Updated Nov 10, 2023

**Package**

gomod github.com/hashicorp/vault (Go)

**Affected versions**

< 1.13.10

\>= 1.14.0, < 1.14.6

\>= 1.15.0, < 1.15.2

**Patched versions**

1.13.10

1.14.6

1.15.2

**Description**

Published to the GitHub Advisory Database

Nov 9, 2023

Last updated

Nov 10, 2023

Tag

#dos