company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Docker

loading..
loading..
loading..

Cryptojacking Attack Exploits Docker Swarm and Kubernetes to Build Botnet

A new cryptojacking attack exploits Docker Swarm and Kubernetes via exposed APIs, forming a botnet. Learn how it works and how to protect your systems

01-Oct-2024
6 min read

Related Articles

loading..

Cloudflare

DDoS

Cloudflare mitigated the largest recorded DDoS attack peaking at 3.8 Tbps, highl...

In a landmark DDoS event, Cloudflare has announced the successful mitigation of the largest recorded Distributed Denial-of-Service (DDoS) attack to date, which peaked at a staggering 3.8 terabits per second (Tbps). This hyper-volumetric attack targeted organizations across the financial services, internet, and telecommunications sectors, underscoring the escalating scale and sophistication of cyber threats facing global infrastructure. ### A Month-Long Siege of Volumetric Attacks The colossal assault was part of a sustained campaign spanning over a month, during which more than 100 hyper-volumetric DDoS attacks were launched. These attacks aimed to overwhelm network infrastructure by inundating it with massive amounts of illegitimate traffic, thereby consuming bandwidth and depleting system resources. This deluge of data effectively denied legitimate users access to services, fulfilling the primary objective of a DDoS attack. ### Technical Anatomy of the Attack The attacks primarily targeted the network and transport layers (Layers 3 and 4) of the OSI model. Many of these assaults surpassed two billion packets per second (pps) and exceeded bandwidths of 3 Tbps. The threat actors orchestrated the campaign using a diverse array of compromised devices, including: - Asus Home Routers - MikroTik Systems - Digital Video Recorders (DVRs) - Web Servers These infected devices formed a global botnet with significant concentrations in Russia, Vietnam, the United States, Brazil, and Spain. ### UDP Exploitation on Fixed Ports The attackers predominantly utilized the User Datagram Protocol (UDP) on fixed ports to transmit data. UDP is favored in such attacks due to its connectionless nature, allowing rapid transmission without the overhead of establishing a formal connection, thus amplifying the attack's speed and volume. ### Cloudflare's Autonomous Defense Mechanism Cloudflare's advanced DDoS mitigation infrastructure autonomously detected and neutralized all the attacks in real-time. The peak attack, which hit 3.8 Tbps, lasted approximately 65 seconds. The company's ability to withstand such a massive onslaught without manual intervention highlights the effectiveness of its automated defense systems and the importance of robust cybersecurity measures. ### Global Distribution of Attack Sources ### Infected devices were distributed globally, with hotspots in key regions. #### Comparative Analysis with Previous Records Before this incident, the record for the largest publicly disclosed volumetric DDoS attack was held by Microsoft, which mitigated a 3.47 Tbps attack targeting an Azure customer in Asia. Cloudflare's recent mitigation surpasses this figure, indicating a troubling increase in the scale at which malicious actors are operating. #### Emerging Threats: The CUPS Vulnerability In a related development, cybersecurity firm Akamai has identified that recently disclosed vulnerabilities in the Common UNIX Printing System (CUPS) for Linux could serve as a new vector for DDoS attacks. Akamai's research revealed: #### Over 58,000 publicly accessible systems vulnerable to CUPS exploitation. These systems could be co-opted to send thousands of requests in amplification attacks. Some CUPS servers responded repeatedly to initial requests, potentially leading to endless loops of malicious traffic. ### Implications for Cybersecurity The escalation in both the scale of attacks and the exploitation of new vulnerabilities like CUPS underscores the evolving threat landscape. Organizations must adopt proactive and adaptive security strategies, including: Investing in Automated Defense Systems: As demonstrated by Cloudflare, autonomous mitigation can effectively neutralize large-scale attacks without human intervention. Regular Vulnerability Assessments: Identifying and patching vulnerabilities like those in CUPS can prevent systems from being exploited in botnets. Global Collaboration: Sharing threat intelligence across industries and borders is crucial for anticipating and defending against emerging threats. Cloudflare's successful mitigation of the largest recorded DDoS attack serves as both a warning and a call to action. As cyber threats continue to grow in scale and complexity, the importance of robust, automated, and adaptive cybersecurity measures cannot be overstated. Organizations worldwide must remain vigilant and collaborative to safeguard the integrity of global digital infrastructure.

loading..   03-Oct-2024
loading..   4 min read
loading..

Iran

Hacking

USA

Three Iranian hackers linked to the IRGC indicted for a "hack-and-leak" campaign...

In a landmark cybercrime case, the U.S. Department of Justice (DOJ) has unsealed an indictment accusing three Iranian hackers of orchestrating a _"hack-and-leak"_ campaign. This cyberattack was strategically aimed at manipulating the outcome of the 2024 U.S. presidential election. ### Identification of Perpetrators Iranian nationals Masoud Jalili, Seyyed Ali Aghamiri, and Yaser Balaghi—affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC)—are accused of hacking into the accounts of U.S. government officials, individuals tied to several U.S. political campaigns, and members of the media. ### Detailing the Attacks As per the [DoJ](https://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us), these cyberattacks were part of a larger Iranian effort to steal classified information about U.S. officials and manipulate the outcome of American elections. ### Target Shift to Trump Campaign In May 2024, after years of targeting former U.S. government officials, the hackers allegedly shifted their focus toward individuals associated with the Trump 2024 presidential campaign, as outlined in the [indictment](http://www.justice.gov/opa/media/1371191/dl). ![FBI-IRGC-hackers-wanted-poster.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/FBI_IRGC_hackers_wanted_poster_f7c0649a13.jpg) ***WANTED POSTER*** ### Unauthorized Access and Theft The hackers successfully infiltrated the personal accounts of campaign officials, illicitly obtaining confidential campaign documents and sensitive emails. ### Hack-and-Leak Campaign Begins By late June, the hackers initiated a _"hack-and-leak"_ operation, attempting to disseminate stolen materials to U.S. media outlets and individuals tied to the Biden campaign, with the intention of undermining Trump's 2024 presidential bid. ### Joint Statement and Timeline Between late June and early July, Iranian cyber actors sent unsolicited emails to individuals associated with President Biden's campaign. These emails contained excerpts from stolen, non-public materials tied to Trump’s former campaign, according to a joint [statement](https://www.fbi.gov/news/press-releases/joint-odni-fbi-and-cisa-statement-091824) released by CISA, the FBI, and the Office of the Director of National Intelligence on September 18. ### Hack-and-Leak Timeline and Tactics This _"hack-and-leak"_ campaign began in January 2020, deploying spear phishing and social engineering techniques to compromise high-profile targets. ### Expanded Operations in 2022 By 2022, their operations expanded, targeting a former U.S. government official to steal personal information that would aid in identifying future victims. ### Concluding Government Actions The U.S. State Department has offered a $10 million reward for [information](https://x.com/RFJ_USA/status/1839704122531987863) on Jalili, Aghamiri, and Balaghi. Concurrently, the Treasury Department's Office of Foreign Asset Control (OFAC) has [designated Jalili](https://home.treasury.gov/news/press-releases/jy2621) for his IRGC involvement, imposing sanctions to thwart foreign interference in U.S. elections. ### Closing Quote from Officials Assistant Attorney General Matthew G. Olsen [stated](https://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us), _"Iran's hack-and-leak efforts are a direct assault on the integrity of our democratic processes."_

loading..   30-Sep-2024
loading..   3 min read
loading..

UNIX

CUPS

Linux

Discover how a critical CUPS vulnerability exposes Unix systems to remote code e...

This Threatfeed is the first in a series exploring vulnerabilities in Unix systems, specifically targeting GNU/Linux systems through the Common Unix Printing System (CUPS). As noted by a contributor to the CUPS project: > _"From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited."_ This statement underscores the critical need to examine and address these vulnerabilities to enhance system security. --- ## Summary Several vulnerabilities have been identified in CUPS and its associated components, which, when combined, allow for remote code execution (RCE) on affected systems: - **CVE-2024-47176**: `cups-browsed` versions ≤ 2.0.1 bind to UDP `INADDR_ANY:631`, accepting packets from any source, which can trigger a `Get-Printer-Attributes` IPP request to an attacker-controlled URL. - **CVE-2024-47076**: `libcupsfilters` versions ≤ 2.1b1 have a vulnerability where `cfGetPrinterAttributes()` does not validate or sanitize IPP attributes returned from an IPP server, allowing attacker-controlled data into the CUPS system. - **CVE-2024-47175**: `libppd` versions ≤ 2.1b1's `ppdCreatePPDFromIPP2()` function fails to validate or sanitize IPP attributes when writing them to a temporary PPD file, enabling injection of attacker-controlled data. - **CVE-2024-47177**: `cups-filters` versions ≤ 2.0.1 include `foomatic-rip`, which allows arbitrary command execution via the `FoomaticRIPCommandLine` PPD parameter. --- ## Impact A remote, unauthenticated attacker can silently replace existing printers or install new ones by manipulating IPP URLs with malicious ones. This manipulation can lead to arbitrary command execution on the target system when a print job is initiated. --- ## Attack Vectors ### Public Internet (WAN) - An attacker sends a crafted UDP packet to port **631** on the target system. - No authentication is required. - This vector affects systems directly connected to the internet with port 631 exposed. ### Local Network (LAN) - An attacker can spoof Zeroconf, mDNS, or DNS-SD advertisements to achieve the same result. - This method will be elaborated in subsequent write-ups focusing on macOS. --- ## Affected Systems The vulnerabilities affect a wide range of Unix-like systems where CUPS and `cups-browsed` are installed: - **Most GNU/Linux distributions** - **Some BSD variants** - **Oracle Solaris** - **Potentially Google ChromeOS** - **Other Unix-like operating systems** *Note:* The presence and default status of `cups-browsed` may vary across distributions. --- ## Technical Details ### Vulnerability in `cups-browsed` (CVE-2024-47176) - **Issue:** `cups-browsed` listens on UDP port 631 on all network interfaces (`0.0.0.0`), accepting packets from any source. - **Risk:** An attacker can send a specially crafted packet to trigger a `Get-Printer-Attributes` IPP request to an attacker-controlled URL. - **Cause:** Lack of source IP address validation due to default configuration allowing all connections. ### Lack of Input Validation in `libcupsfilters` (CVE-2024-47076) - **Issue:** The function `cfGetPrinterAttributes5()` does not validate or sanitize IPP attributes received from a server. - **Risk:** Attacker-controlled data can be injected into the CUPS system, potentially leading to malicious activities. - **Cause:** Insufficient validation of IPP attributes returned from remote servers. ### Improper Handling in `libppd` (CVE-2024-47175) - **Issue:** The function `ppdCreatePPDFromIPP2()` fails to validate or sanitize IPP attributes when writing to a temporary PPD file. - **Risk:** Allows injection of malicious directives into PPD files, which can be executed by the system. - **Cause:** Lack of proper input sanitization when generating PPD files from IPP attributes. ### Arbitrary Command Execution via `foomatic-rip` (CVE-2024-47177) - **Issue:** The `foomatic-rip` filter allows execution of arbitrary commands through the `FoomaticRIPCommandLine` parameter in PPD files. - **Risk:** An attacker can execute commands with the privileges of the CUPS system, potentially leading to full system compromise. - **Cause:** Historical reliance on `foomatic-rip` for printer compatibility, with challenges in restricting its capabilities without breaking functionality. --- ## Exploitation Overview By chaining the identified vulnerabilities, an attacker can: 1. **Trigger a Malicious IPP Request:** - Send a crafted UDP packet to UDP port 631, causing `cups-browsed` to initiate a connection to an attacker-controlled IPP server. 2. **Inject Malicious IPP Attributes:** - The attacker's IPP server responds with malicious attributes that are not validated by `libcupsfilters` or `libppd`. 3. **Create Malicious PPD File:** - The system generates a PPD file containing injected directives, including potentially harmful commands. 4. **Execute Arbitrary Commands:** - When a user initiates a print job, the CUPS system processes the PPD file, executing the injected commands via `foomatic-rip`. *Note:* User interaction is required (i.e., starting a print job) for the final execution step. --- ## Remediation ### Immediate Actions - **Disable `cups-browsed`:** - If not required, stop and disable the `cups-browsed` service: ```bash sudo systemctl stop cups-browsed sudo systemctl disable cups-browsed ``` - **Update CUPS Packages:** - Apply security updates from your distribution's repositories as they become available. - **Network-Level Mitigation:** - Block incoming traffic on UDP port 631 at the firewall level. - Consider restricting or disabling Zeroconf, mDNS, and DNS-SD services if not in use. ### Long-Term Recommendations - **Audit Installed Packages:** - Remove unnecessary printing services and related packages if printing functionality is not required. - **Implement Access Controls:** - Configure `cups-browsed` to restrict allowed sources by editing `/etc/cups/cups-browsed.conf`. - **Monitor for Updates:** - Stay informed about security advisories related to CUPS and associated libraries. The vulnerabilities in CUPS and its associated components present a significant security risk to Unix-like systems. Exploitation can lead to remote code execution with minimal attacker effort and no initial authentication. It is crucial for system administrators and users to take immediate action to mitigate these risks. --- ## Additional Considerations ### Responsible Disclosure Challenges The process of responsibly disclosing these vulnerabilities highlighted challenges in communication and prioritization between security researchers and software maintainers. Efficient collaboration is essential to address security issues promptly and effectively. ### Legacy Components The continued use of legacy components like `foomatic-rip` poses security challenges due to their inherent vulnerabilities and the difficulty in restricting their capabilities without impacting functionality. ### Future Research Further analysis is being conducted on related vulnerabilities, including potential exploitation on other operating systems such as macOS. Subsequent write-ups will provide additional details. --- ## References - **CUPS Official Documentation:** [cups.org](https://www.cups.org/) - **Internet Printing Protocol (IPP) Specifications:** [IETF RFCs](https://www.ietf.org/standards/rfcs/) - **CVE Details:** - [CVE-2024-47176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47176) - [CVE-2024-47076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47076) - [CVE-2024-47175](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47175) - [CVE-2024-47177](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47177)

loading..   27-Sep-2024
loading..   6 min read