Vercara’s Open-Source Intelligence (OSINT) Report – September 27 – October 3, 2024

Unix printing vulnerabilities enable Easy DDoS attacks. 

(TLP: CLEAR) Several Unix-based printing systems, such as CUPS (Common Unix Printing System), have inherent weaknesses that can be exploited by attackers. These vulnerabilities can lead to the disruption of service by overwhelming printing resources. The potential impact includes not only service disruption but also the possibility of broader network issues, as the printing services can affect other interconnected systems and services. 

(TLP: CLEAR) Comments: CUPS developers have issued a patch to address the vulnerability, urging users to update their systems promptly to mitigate the risk of exploitation. The article emphasizes the importance of regular updates and security practices to protect against potential DDoS attacks leveraging this and similar vulnerabilities. 

(TLP: CLEAR) Recommended best practices/regulations:  
NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected.” 

Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real-time, such as Vercara’s UltraDDoS Protect. 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premise hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Vercara’s array of DDoS Protection services includes blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available. 
Source: https://www.darkreading.com/vulnerabilities-threats/unix-printing-vulnerabilities-easy-ddos-attacks  

New Cryptojacking attack targets Docker API to create Malicious Swarm Botnet.

(TLP: CLEAR) The Hacker News article details a new cryptojacking attack that specifically targets Docker containers, exploiting their configurations to mine cryptocurrency without the users’ consent.  The cryptojacking attack takes advantage of misconfigured Docker setups. Attackers can gain access through vulnerabilities or poor security practices, such as weak passwords or exposed APIs. Once inside a vulnerable Docker container, the attackers deploy malicious code that initiates cryptocurrency mining. This process utilizes the host machine’s CPU resources, leading to degraded performance and increased operational costs for the victim. 

(TLP: CLEAR) Comments: The article outlines key indicators of compromise (IoCs), such as unusual CPU usage patterns and the presence of unfamiliar processes or network connections that suggest mining activities. The attack not only affects the individual container but can also potentially compromise the entire Docker host, enabling further exploitation of the underlying infrastructure. The rise of cryptojacking in containerized environments underscores the need for robust security measures in cloud-native applications, as attackers increasingly target such platforms to exploit resources. 

(TLP: CLEAR) Recommended best practices/regulations:  
OWASP API Top 10, API6:2023, “Unrestricted Access to Sensitive Business Flows”: 

“The mitigation planning should be done in two layers: 

“Business – identify the business flows that might harm the business if they are excessively used. 

“Engineering – choose the right protection mechanisms to mitigate the business risk. 

“Some of the protection mechanisms are more simple while others are more difficult to implement. The following methods are used to slow down automated threats: 

“Device fingerprinting: denying service to unexpected client devices (e.g headless browsers) tends to make threat actors use more sophisticated solutions, thus more costly for them 

“Human detection: using either captcha or more advanced biometric solutions (e.g. typing patterns) 

“Non-human patterns: analyze the user flow to detect non-human patterns (e.g. the user accessed the ‘add to cart’ and ‘complete purchase’ functions in less than one second) 

“Consider blocking IP addresses of Tor exit nodes and well-known proxies 

“Secure and limit access to APIs that are consumed directly by machines (such as developer and B2B APIs). They tend to be an easy target for attackers because they often don’t implement all the required protection mechanisms.” 

(TLP: CLEAR) Vercara: Vercara UltraAPI offers a comprehensive solution to the complex challenges security teams face in safeguarding API applications against cyber threats. It provides thorough discovery of the entire API landscape, including external and internal APIs, assesses API risk posture to highlight critical vulnerabilities needing remediation, and delivers real-time protection to prevent API attacks, ensuring data safety, preventing fraud, and avoiding business disruptions. This solution stands out by addressing every phase of the API security lifecycle, promoting best practices in security and governance to eliminate risks effectively. 
Source: https://thehackernews.com/2024/10/new-cryptojacking-attack-targets-docker.html   

INTERPOL arrests 8 in major phishing and romance fraud crackdown in West Africa. 

(TLP: CLEAR) The operation targeted sophisticated cybercriminal networks engaged in phishing and romance scams, which have been prevalent in the region and resulted in substantial financial losses for victims globally. The scammers employed various phishing techniques, including:  

• Email Spoofing: Creating fraudulent emails that appeared to come from legitimate sources to trick victims into revealing sensitive information. 
• Fake Websites: Developing counterfeit websites that mimicked reputable businesses to collect personal and financial data from unsuspecting users. 
• As well as romance scams, fake profiles and emotional; manipulation. 

(TLP: CLEAR) Comments: The crackdown underscores the need for increased public awareness regarding the risks associated with online interactions and the importance of verifying identities before engaging financially or personally. This operation highlights the necessity for ongoing collaboration between international law enforcement agencies to effectively combat transnational cybercrime. 

(TLP: CLEAR) Recommended best practices/regulations:  
Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

“Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typosquats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link. 

(TLP: CLEAR) Vercara:. Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers. 
Source: https://thehackernews.com/2024/10/uk-hacker-charged-in-375-million.html   

New HTML smuggling campaign delivers DCRat malware to Russian-speaking users. 

(TLP: CLEAR) The article from The Hacker News discusses a new HTML smuggling campaign that delivers the Remcos Remote Access Trojan (RAT) to victims. This campaign employs a sophisticated technique that involves embedding malicious payloads within HTML files, making it challenging for traditional security measures to detect them. The HTML file is designed to download and execute the Remcos RAT once opened by the victim. The file uses base64 encoding to embed the payload, which is executed through JavaScript within the HTML document. 

(TLP: CLEAR) Comments: Once the malicious file is executed, it establishes a connection to a command-and-control server, allowing attackers to gain control over the infected system. The HTML smuggling campaign highlights an evolving threat landscape where attackers use innovative techniques to bypass conventional security protocols. Continuous vigilance and adaptive security measures are crucial in mitigating the risks posed by such advanced malware delivery methods. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious—even more so if it contains binary data.” 

“Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated, along with granular input validation controls and traffic filtering measures for flexibility.  UltraWAF includes several tools for managing both benign and malicious bots, including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks. 
Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 
Source: https://thehackernews.com/2024/09/new-html-smuggling-campaign-delivers.html