Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

CVE-2022-27933: Pexip security bulletins | Pexip Infinity Docs

CVE-2022-26657: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.

CVE-2022-26655: Pexip security bulletins | Pexip Infinity Docs

CVE-2022-27932: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.

CVE-2022-27937: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.

CVE-2022-26656: Pexip security bulletins | Pexip Infinity Docs

By Waqas
Mantis Botnet launched 3,000 DDoS attacks in one month using only 5,000 small bots after which Cloudflare dubbed…
This is a post from HackRead.com Read the original post: Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai

****Mantis Botnet launched 3,000 DDoS attacks in one month using only 5,000 small bots after which Cloudflare dubbed the botnet as “the most powerful botnet to date.”****

According to Cloudflare content distribution network, a botnet named after a small shrimp is so powerful that it has launched the biggest ever DDoS attacks. Dubbed Mantis, the botnet has thus far targeted around 1,000 Cloudflare customers within the past few weeks.

The company revealed that it thwarted a brief but record-shattering DDoS attack peaking at 26 million rps (requests per second) in June. Ever since that attack, the internet infrastructure company has been tracking Mantis.

If you wonder why Cloudflare named it after the laser-legged Mantis, the company revealed that the botnet is similar to Meris, therefore the name reflects its origin and the capability to hit hard and fast.

**Mantis Doesn’t Use IoTs**

Cloudflare explained in its blog post that the Mantis botnet comprises nearly five thousand compromised machines. It mainly hijacks virtual servers and machines hosted by cloud firms instead of using low-bandwidth IoT devices like routers and DVRs.

It is worth noting that the Meris botnet used IoT devices, including hijacked MikroTik routers to attack popular websites. The botnet was also behind the massive DDoS attack on Yandex, a popular Russian search engine and technology firm.

In the same manner, the Mantis botnet operates through a “small fleet of” bots that can quickly generate massive force and launch large-scale HTTP DDoS attacks, which are actually more “computationally expensive” as the attacker has to establish an encrypted transport layer security connection. Thus, it seems like the beginning of the next phase in Meris botnet evolution.

> “Mantis has branched out to include a variety of VM platforms and supports running various HTTP proxies to launch attacks.”
> 
> Cloudflare

**Targets of Mantis Botnet**

Cloudflare reported that in June, the Mantis botnet launched more than 3,000 HTTP DDoS attacks, and 36% of these attacks were targeted against the telco and internet sectors, game publishers, and news organizations. Additionally, it targeted French organizations’ websites, gambling sites, and e-commerce platforms.

Industry targeted by the Mantis botnet

Furthermore, nearly 20% of Mantis botnet targets were organizations in the US, and 15% were Russian organizations. Around 5% of the targets were identified in:

1.  India
2.  China
3.  Brazil
4.  Latvia
5.  Turkey
6.  France
7.  Poland
8.  Ukraine
9.  Cyprus
10.  Canada
11.  Sweden
12.  Vietnam
13.  Germany
14.  Philippines
15.  Hong Kong
16.  Netherlands
17.  United Kingdom

**Mantis vs Mirai**

Mired in controversy, the Mirai botnet has made headlines time and again. The Mirai botnet was introduced to the world after its first-ever attack harnessed over 100,000 devices to launch a massive DDoS against Dyn, a company that provides DNS services. The DDoS attack on Dyn was the largest DDoS attack on record at that time, clocking in at 1.2 Tbps.

However, the Mantis botnet is different from Mirai in that it relies on vulnerabilities in routers and other connected devices rather than hijacked IoT devices. This makes it more difficult to defend against, as there are many more potential targets.

However, Cloudflare was able to identify and block malicious traffic before it reached its targets. This successful defense against the Mantis botnet shows that companies are beginning to learn from the Mirai attack and are taking steps to protect themselves.

**More DDoS Attacks and Botnet News**

*   Cloudflare Thwarted Largest Ever HTTPS DDoS Attack
*   DDoS Attack and Data Wiper Malware hit Computers in Ukraine
*   Microsoft Azure customer hit by largest ever 3.47 Tbps DDoS attack
*   New malware attack turns Elasticsearch databases into DDoS botnet
*   DDoS attacks on Minecraft event crippled the internet of a European country

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai

Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.

**Dmitri Shuralyov**

unread,

Jun 1, 2022, 11:00:01 PMJun 1

to golan...@googlegroups.com

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

*   crypto/rand: rand.Read hangs with extremely large buffers
    
    On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.
    
    Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset, for reporting this issue.
    
    This is CVE-2022-30634 and Go issue https://go.dev/issue/52561.
    

*   crypto/tls: session tickets lack random ticket\_age\_add
    
    Session tickets generated by crypto/tls did not contain a randomly generated ticket\_age\_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
    
    Thanks to GitHub user @nervuri for reporting this.
    
    This is CVE-2022-30629 and Go issue https://go.dev/issue/52814.
    

*   os/exec: empty Cmd.Path can result in running unintended binary on Windows
    
    If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed.
    
    Thanks to Chris Darroch (chris...@github.com), brian m. carlson (bk2...@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3) for reporting this.
    
    This is CVE-2022-30580 and Go issue https://go.dev/issue/52574.
    

*   path/filepath: Clean(\`.\\c:\`) returns \`c:\` on Windows
    
    On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(\`.\\c:\`) returned \`c:\`.
    
    Thanks to Unrud for reporting this issue.
    
    This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.
    

View the release notes for more information:  
https://go.dev/doc/devel/release#go1.18.minor

You can download binary and source distributions from the Go web site:  
https://go.dev/dl/

To compile from source using a Git clone, update to the release with  
"git checkout go1.18.3" and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,  
Dmitri and Alex for the Go team

CVE-2022-30634: [security] Go 1.18.3 and Go 1.17.11 are released

Microsoft has linked a threat that emerged in June 2021 and targets small-to-mid-sized businesses to state-sponsored actors tracked as DEV-0530.

Microsoft has linked a threat that emerged in June 2021 and targets small-to-mid-sized businesses to state-sponsored actors tracked as DEV-0530.

Microsoft researchers have linked an emerging ransomware threat that already has compromised a number of small-to-mid-sized businesses to financially motivated North Korean state-sponsored actors that have been active since last year.

A group tracked by researchers from Microsoft Threat Intelligence Center (MSTIC) as DEV-0530 but that calls itself H0lyGh0st has been developing and using ransomware in attacks since June 2021.

The group has successfully compromised small-to-mid-sized businesses—including manufacturing organizations, banks, schools, and event and meeting planning companies—in multiple countries starting as early as September, researchers from MTIC and Microsoft Digital Security Unit (MDSU) said in a blog post published Thursday.

H0lyGh0st’s standard modus operandi is to use a namesake ransomware to encrypt all files on the target device using the file extension .h0lyenc, then send the victim a sample of the files as proof. The group interacts with victims on a _.onion_ site that it maintains and on which it provides a contact form for victims to get in touch, researchers said.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

The group typically demands payment in Bitcoin in exchange for restoring access to the files. On its website, H0lyGh0st claims that it won’t sell or publish victim data if they pay, researchers said. However, it uses double extortion to pressure targets to pay, threatening to publish stolen data on social media or send it to the victims’ customers if they don’t meet ransom demands.

****Introducing H0lyGh0st****

H0lyGh0st’s ransomware campaigns are financially motivated, with researchers observing text linked to a ransom note that they intercepted in which attackers claim they aim to “close the gap between the rich and poor,” researchers said.

“They also attempt to legitimize their actions by claiming to increase the victim’s security awareness by letting the victims know more about their security posture,” they said.

DEV-0530 also has connections with another North Korean-based group tracked as PLUTONIUM, also known as DarkSeoul or Andariel, according to MSTIC, with researchers observing communications between the two groups. H0lyGh0st also has been seen using tools created exclusively by PLUTONIUM, they said.

****A Tale of Two Families****

Since it began using ransomware in June 2021 and until May 2022, H0lyGh0st has employed two custom-developed malware families–SiennaPurple and SiennaBlue, researchers said. MSTIC identified four variants linked to these families: BTLC\_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe.

BTLC\_C.exe is written in C++ and is classified as SiennaPurple, while the rest are written in the open-source Go programming language, researchers said. All of the variants are compiled into .exe to target Windows systems, they said.

BLTC\_C.exe is a portable ransomware developed by the group that was first seen in June 2021. However, it may have been an early version of the group’s development efforts, as it doesn’t have many features compared to all malware variants in the SiennaBlue family, researchers said.

Later in the group’s evolution, between October 2021 and May 2022, MSTIC observed a cluster of new DEV-0530 ransomware variants written in Go, which they classify as SiennaBlue variants, they said.

Though new Go functions have been added to the various variants over time, all the ransomware in the SiennaBlue family share the same core Go functions, researchers observed. These features include various encryption options, string obfuscation, public key management, and support for the internet and intranet, researchers said.

****Most Recent Variant****

The latest ransomware variant to be used by the group is BTLC.exe, which researchers have seen in the wild since April of this year, they said.

BTLC.exe can be configured to connect to a network share using the default username, password, and intranet URL hardcoded in the malware if the ServerBaseURL is not accessible from the device, researchers said.

The malware also includes a persistence mechanism in which it creates or deletes a scheduled task called _lockertask_ that can launch the ransomware. Once the malware is successfully launched as an administrator, it tries to connect to the default ServerBaseURL hardcoded in the malware, attempts to upload a public key to the C2 server, and encrypts all files in the victim’s drive, they said.

**_FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE._**

Emerging H0lyGh0st Ransomware Tied to North Korea

Researchers who helped thwart the Russian nation-state group's recent attack on Ukraine's power supply will disclose at Black Hat USA what they found while reverse-engineering the powerful Industroyer2 malware used by the powerful hacking team.

The infamous Sandworm threat group operating out of Russia's military GRU unit has no qualms about taunting researchers when it finds it is being watched. Just ask Robert Lipovsky and his fellow researchers at ESET, who got the message loud and clear when they dissected one of Sandworm's newer malware variants earlier this year: The Sandworm attackers disguised the loader for one of its data-wiping variants as the IDAPro reverse-engineering tool — the very same tool the researchers had used to analyze the attackers' malware.

Lipovsky, principal threat intelligence researcher at ESET, knew it was no coincidence. Sandworm most likely was brazenly — and sarcastically — making a point that the group knew ESET was on its trail. "There's no reason to use IDAPro" in an attack on an engineering substation because that's not a tool that would be used on that system, he explains. "It's fairly clear the attackers are fully aware we are onto them and blocking their threats. They are maybe trolling us, I would say."

That wasn't the only message Sandworm seemed to be sending. The group also dropped a Trojan-ridden version of ESET's security software in its targeting of Ukrainian networks. "They were sending a message that they were aware we are doing our job protecting the users in Ukraine," Lipovsky says.

Lipovsky was part of the ESET team that — along with Ukraine's computer emergency response team (CERT-UA) and Microsoft — in April blocked a cyberattack by Sandworm on an energy company in Ukraine using a new version of its game-changing Industroyer malware weapon, Industroyer2. Had it not been thwarted in time, the attack would have knocked several high-voltage substations from part of the nation's electric grid.

Industroyer2 is a more custom version of the first iteration (Industroyer) that Sandworm unleashed in December 2016, temporarily knocking out power in parts of Kyiv, the capital of Ukraine. The Industroyer2 attack attempt in April also came with destructive disk-wiping tools designed to destroy engineering workstations running Windows, Linux, and Solaris, in an attempt to thwart recovery operations when the attackers' planned power blackout hit. Industroyer was the first known malware able to shut out the lights, and it can communicate with ICS hardware in electrical substations — circuit breakers and protective relays, for instance — via popular industrial network protocols.

Even after the high-profile foiling of the Industroyer2 attack attempt on Ukraine in April, Sandworm continues to relentlessly hammer at Ukraine's cyber defenses. "It didn't end with Industroyer2. It continues today," says Lipovsky, who with ESET senior malware researcher Anton Cherepanov will share their insiders' view of Sandworm and dissect the group's Industroyer2 malware at Black Hat USA in Las Vegas next month. 

"There are more wipers today … and new execution chains being used," he says.

Most of the current attack attempts by Sandworm against Ukraine's infrastructure now carry disk-wiping weapons. "We've seen disruption activity \[attempts\] at an increased rates since February," he says, when Russia first invaded Ukraine. Intel-gathering via cyber-espionage attacks also has been active, he adds, noting that while Sandworm is the most prominent Russian threat actor targeting Ukraine, it's not the only one.

**Industroyer2 up Close**

In their Black Hat talk, Lipovsky and Cherepanov plan to reveal more technical details about Sandworm that haven't yet been made public, as well as share recommendations for utilities to defend against the nation-state group's attacks.

Lipovsky and his team describe Industroyer2 as a simpler, more streamlined version of the first version. Unlike the first Industroyer, Industroyer2 speaks just one OT protocol, IEC 104. The original version used four different industrial protocols. It's likely more efficient and focused that way: "\[IEC 104 is\] one of most common \[OT\] protocols and a regional thing" in Europe, he notes.

The disk-wiping capabilities with Industroyer2 eclipse that of the first version. "The first one was a framework with multiple components, and it was also calling additional modules that were there for wiping," he says. Industroyer2 is more "self-contained" and offers wipers as separate executables, he says, malware weapons that have been discovered in other recent cyber incidents. 

CaddyWiper is the main disk wiper used with Industroyer2. Sandworm pointed CaddyWiper at a Ukrainian bank 24 hours before Russia invaded Ukraine in February, at a government agency in early April, and on some Windows workstations at the targeted Ukrainian energy firm. Sandworm also set destructive malware programs ORCSHRED, SOLOSHRED, and AWFULSHRED on Linux and Solaris workstations there. And, as a final touch, Sandworm had scheduled CaddyWiper to execute on April 8 as a way to erase all evidence of Industroyer2, but it was blocked.

Interestingly, Sandworm does not typically wipe domain controllers, so as not to disrupt its own foothold in the victim's network. "They wipe regular workstations to disrupt a target's operations, but they want to keep their presence once they've infiltrated an environment," Lipovsky says.

Even with all that ESET and other researchers now know about Industroyer2, there is still no full picture of the initial attack vector in the Industroyer2 attack on the Ukrainian energy firm. CERT-UA said the attack appeared to be in two stages, the first one likely in February of this year and the other in April, when the goal was to disconnect the electrical substations and sabotage the power operations on April 8.

**Defense Against Industroyer, Sandworm**

While Industroyer2 has been trained on Ukraine, its emergence has shaken the OT industry.  "Industroyer was a wake-up call for the whole ICS community. This is a serious threat," Lipovsky says.

The playbook for protecting an OT network from Industroyer and related attacks isn't much different than others. "It's what we've always been saying: Have visibility into the environment; have EDR, XDR tools; multiple layers of security in the stack; and access controls," Lipovsky says.

In their talk at Black Hat Lipovsky and Cherepanov also will share EDR rules, configuration suggestions to stop lateral movement, and rules for Snort and YARA tools

They also plan to reiterate that engineering workstations in OT networks have become major targets, so they have to be part of the security equation. "A lot of SCADA software and monitoring is happening on regular workstations that run Windows or Linux. These machines should have the appropriate security measures and solutions that are multilayered," including running EDR or XDR tools, he says.

Tag

#microsoft