Sharp rise in Hacktivist activity as Israeli/Hamas conflict escalates
According to reports at least 15 ransomware collectives, including Anonymous Sudan and Killnet, have actively engaged in cyber-attacks targeting Israeli and Palestinian institutions and their backers. Killnet confirmed its focus on Israel via its Telegram channel, while several Indian groups have also declared similar objectives. One such group even claimed a successful cyber-attack on the Palestinian government website, according to their own Twitter post.
Anonymous Sudan initiated attacks against Israel shortly after the first rockets were launched by Hamas during the groups attack on Saturday. The group claimed to have disabled emergency warning systems in Israel. Additionally, The Jerusalem Post, Israel's largest English-language daily, was targeted by the same group.
Moreover, the Israel Independent System Operator's network was reportedly compromised, leading to the shutdown of its website. This attack was orchestrated by a group that also aimed at the Israel Electric Corporation. On the other hand, ThreatSec, a pro-Israel group, claimed to have compromised the infrastructure of Gaza-based Internet Service Provider AlfaNet.
MOVEit Vulnerability forces Flagstar Bank to issue data breach warning to over 800k of its customers
Flagstar Bank, an American based commercial bank issued a warning to 837,390 of its U.S. customers about a data breach affecting their personal information.
In an official notification, Flagstar Bank detailed that the MOVEit vulnerability did not compromise any of their own systems nor affect their customer service capabilities but cyber criminals were able to access files transferred via MOVEit, which contained personal customer data from Flagstar and its associated institutions.
A cyber security firm based in Los Angeles, revealed that while the compromised data hasn't yet appeared on the Dark Web, it has been offered for sale in private underground forums.
This is not Flagstar Bank’s first cyber security incident. In June 2022, they disclosed a breach affecting around 1.5 million individuals, details of which were not made public. Another attack occurred in March 2021, perpetrated by the Clop ransomware gang, impacted nearly the same number of customers.
Air Europa advises customers to cancel credit card payments following cyber attack
Air Europa, a Spanish airline based in Mallorca, has advised customers to cancel their credit cards following a cyberattack on its online payment system.
The company did not disclose the number of customers affected or the timing of the attack. In a statement, Air Europa assured that there's "no evidence that the breach was ultimately used to commit fraud," offering no details on the nature or source of the attack. The airline is emailing affected customers and financial institutions, urging the cancellation and replacement of any bank cards used on its website to mitigate potential fraud.
This is not the first cyber security lapse for Air Europa; the airline was fined in 2021 for mishandling a 2018 data breach that impacted 489,000 customers.
The company reported that breach 41 days after it occurred, violating the EU's GDPR regulation that mandates reporting within 72 hours. This comes amid heightened scrutiny of airlines' cybersecurity, exemplified by British Airways' reduced £20 million ($24.5 million) fine in 2018 for a similar breach involving payment data.
Patch Tuesday fixes numerous zero days and actively exploited vulnerabilities
In Microsoft's October 2023 Patch Tuesday, the tech giant rolled out security updates for a total of 104 vulnerabilities, including three zero-day flaws that have been actively exploited. The vulnerabilities addressed include 45 Remote Code Execution (RCE) bugs, 26 Elevation of Privilege vulnerabilities, and 17 Denial of Service issues, among others. Only 12 of these were categorized as 'Critical,' all being RCE vulnerabilities.
The three actively exploited zero-day flaws are:
- CVE-2023-41763 - An Elevation of Privilege vulnerability in Skype for Business. An attacker exploiting this could potentially view sensitive information.
- CVE-2023-36563 - A Microsoft WordPad flaw that enables stealing NTLM hashes, which can be cracked or used for further attacks. The flaw was found internally by Microsoft's Threat Intelligence group.
- CVE-2023-44487 - A novel DDoS attack technique known as 'HTTP/2 Rapid Reset,' which exploits HTTP/2's stream cancellation feature to overwhelm servers. While there's no complete "fix," Microsoft suggests disabling HTTP/2 protocol as a mitigation step.
This Patch Tuesday also addressed a Chromium vulnerability, CVE-2023-5346, already fixed by Google earlier in the month. Apple meanwhile released fixes for two zero day vulnerabilities earlier in the month.
Microsoft revealed that two of the zero-days were publicly disclosed, underscoring the urgency for users to update their systems.
Curl 8.4.0 released early after high severity issue discovered
The Curl development team disclosed a high-severity vulnerability, CVE-2023-38545, affecting versions 7.69.0 to 8.3.0 of the Curl library.
This Heap-based Buffer Overflow flaw occurs when utilising a SOCKS5 proxy with remote hostnames exceeding 255 bytes. To exploit this, an attacker would need a victim to connect through a malicious SOCKS5 proxy and then redirect them to a URL with a lengthy hostname to trigger the overflow. Successful exploitation could result in remote code execution.
To mitigate the vulnerability, users should upgrade to Curl version 8.4.0 or apply available patches. The vulnerability is not easily exploitable, as clarified by Curl's author Daniel Stenberg, because it requires specific conditions like delaying the proxy handshake and a "double presence" of malicious elements for a successful attack.
A second, lower-severity flaw, CVE-2023-38546, also affects the Curl library. It could potentially allow an attacker to inject arbitrary cookies into an application using affected versions. However, the exploit demands specific conditions and is considered less likely to be utilized for an attack.
These vulnerabilities highlight the need for timely security updates, especially for libraries like Curl that are fundamental to many applications. Anyone using impacted versions should immediately apply patches or upgrade to avoid potential risks.
Mitigation:
- Update libcurl versions to 8.4.0 As soon as possible.
- Enumarate all potential vulnerable deployments of the LibCurl package
- Windows users should wait for an official Microsoft patch
- Do not use the CURLPROXY_SOCKS5_HOSTNAME proxy or "socks5h://" environment varibles with vulnerable versions
- Monitor potentially affected environments using EDR technology and perform targeted threat hunts to identify and root out malicious activity. This is something the Integrity360 Incident Response team can do on your behalf.
