'Critical' CUPS vulnerability chain easy to use for massive DDoS attacks
Also, rooting for Russian cybercriminals, a new DDoS record, sneaky Linux server malware and more
Infosec In Brief The critical vulnerability in the Common Unix Printing System (CUPS) reported last week might have required some very particular circumstances to exploit, but Akamai researchers are warning the same vulnerabilities can easily be exploited for mass DDoS attacks.
As we reported near the end of September when the vulnerabilities were made public, there are a series of four CVEs in CUPS that, when chained together, can allow a remote attacker to commandeer a victim's machine. Of course, there are some limitations: It only works if you're running CUPS with cups-browsed enabled, and can only be exploited when a print job is started.
Send a carefully crafted packet to a vulnerable CUPS server, and none of those special conditions are needed to wreak havoc: if an attacker asks a CUPS server to treat the target of a DDoS request like a printer to be added, all bandwidth hell breaks loose.
"For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target," Akamai researchers said. "As a result, not only is the target affected, but the host of the CUPS server also becomes a victim, as the attack consumes its network bandwidth and CPU resources."
According to the team that found it, there are more than 198,000 devices online vulnerable to the earlier CUPS attack chain, and around 58,000 of those are ripe for DDoS abuse. Were all the vulnerable nodes to be used for a single attack, Akamai estimates it could send as much as 1 GB of traffic per UDP packet. If padding of the packets to increase their size is assumed, something Akamai said the attack can easily do, then a single UDP packet attack could reach as large as 6 GB.
As the attack requires just a single request to a CUPS server, Akamai says an attacker would need just seconds to co-opt every single vulnerable instance they've found.
While it hasn't been exploited yet, Akamai expects such a ripe target to be plucked before most systems are patched and taken offline. Speaking of which, don't you have some Linux systems to look into?
Speaking of DDoS attacks, Cloudflare just blocked a record one
There's been a spike in layer 3/4 DDoS attacks since early September, Cloudflare reported last week, and one of the attacks set a new record for the largest-ever disclosed DDoS: 3.8 Tbps. The attack, Cloudflare says, was detected and mitigated autonomously.
The campaign is targeting companies in the financial services, internet and telecom industries and appears to be trying to exhaust resources and saturate bandwidth of in-line applications and devices. That, and it's running at an unprecedented scale and frequency.
"Cloudflare's defenses mitigated over one hundred hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second and 3 terabits per second," the firm said.
Being a company that offers DDoS mitigation tools, Cloudflare naturally says everyone should get some sort of solution to prevent falling prey to DDoS attacks like the ones it has been blocking of late. No matter which you choose, it's probably a good idea to do something: DDoS attacks reportedly rose 46 percent during the first half of 2024.
Are we the goodies?
The worlds of cyber crime syndicates and perverts collided last week.
FIN7, a financially motivated cybercrime gang based in Russia with a long history, was caught by threat analysts at Silent Push operating several websites that purport to offer AI deepfake nude image generators, but which are just honeypots for infostealing malware.
In one variation, the user is tricked into downloading a "deepnude generator" that's actually just a copy of Redline Stealer or D3F@ck loader, while the other that promises a free trial of a premium product is packed with the Lumma stealer.
Silent Push managed to get seven malicious deepfake nude sites controlled by FIN7 taken offline, but they note it's likely others will appear in their place in short order, as is often the way with such websites.
We'd say protect yourself, but anyone downloading software to create nonconsensual nude images and videos can go right ahead and take the risk.
Naming, shaming not stopping North Korean hackers
North Korean threat actors identified and indicted by US officials over the summer have continued their campaigns unphased by Uncle Sam's powerless finger pointing, Symantec is claiming.
Andariel – aka. APT45, Onyx Sleet and Silent Chollima – is a North Korean threat actor linked to Rim Jong Hyok. A suspect which US officials believe is Andariel was indicted in July for allegedly facilitating ransomware attacks on multiple US hospitals and government facilities.
The suspect in question, of course, lives in a country without diplomatic relations with the US.
"Symantec … found evidence of intrusions against three different organizations in the U.S. in August of this year, a month after the indictment was published," the company's threat hunters said. None of the attacks it detected were successful, and all were directed at private companies with no obvious intelligence value.
The technique hasn't changed, Symantec notes, with Andariel's same Backdoor.Preft malware deployed in the attacks – however the financial motivation is new.
North Korean hackers aren't slowing down, but with them relying on the same malware and ingress tricks, staying safe is possible.
Here's your weekly 'please patch' note
Researchers from Aqua security are reporting the discovery of a piece of sneaky Linux malware that, while not especially dangerous, has been blasted so widely across the internet it's worth taking a look at any unpatched system for excess resource usage.
- That doomsday critical Linux bug: It's CUPS. May lead to remote hijacking of devices
- North Korean chap charged for attacks on US hospitals, military, NASA – and even China
- Memory-safe languages so hot right now, agrees Lazarus Group as it slings DLang malware
- FBI boss says China 'burned down' 260,000-device botnet when confronted by Feds
Dubbed "perfctl malware" by the Nautilus crew at Aqua, the kit appears to want to do nothing but hijack machines to mine for cryptocurrency and use them as underground proxy nodes, and it's relying on a list of more than 20,000 common misconfigurations and known vulnerabilities - no novel vectors or complicated attacks here.
"Given the scale, we strongly believe the attackers targeted millions worldwide with a potential number of victims of thousands," the researchers said. "It appears that with this malware any Linux server could be at risk."
Once installed, it's tricky to spot, too: perfctl uses a rootkit to hide its presence, goes dormant whenever a user logs into an infected machine, uses a TOR connection for all external communication, deletes its own binary and runs as a service and tries to escalate its own privileges.
Time to take a look at your Linux servers - and be sure to go armed with Aqua's list of perfctl IOCs, too. ®