The reported scale of the attack was as follows: Amazon successfully defended against attacks at a rate of 155 million requests per second, Cloudflare at 201 million RPS, and Google set a record by withstanding attacks at an astonishing 398 million RPS.

Google stated, “These attacks were significantly larger than any previously reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second.”

In this scenario, the HTTP/2 protocol allows clients to terminate a previously sent data stream by sending an RST_STREAM frame to the server without requiring coordination between the client and server. The Rapid Reset attack utilizes this method to quickly send and reject requests, bypassing the server’s simultaneous stream limit and overwhelming it without exceeding the defined threshold.

Attacks that use numerous HTTP/2 connections and rapidly switch between requests and cancellations are referred to as HTTP/2 Rapid Reset attacks. Each connection can have an unlimited number of concurrently running requests, enabling attackers to flood a targeted website with HTTP/2 requests and effectively overload its capacity to respond to new incoming requests, ultimately leading to an outage.

Attackers can achieve this by initiating and canceling hundreds of thousands of HTTP/2 streams on a large scale. Cloudflare noted that this attack was made possible by exploiting various features of the HTTP/2 protocol and specific server implementations, making virtually all modern web servers vulnerable.

Cloudflare reported, “CVE-2023-44487 is another manifestation of the HTTP/2 vulnerability. To mitigate it, we were able to enhance existing protective measures to monitor RST_STREAM frames sent by the client and close connections when they are used for abusive purposes. Legitimate uses of RST_STREAM by the client remain unaffected.”

Cloudflare, Google, and AWS have shared this attack technique with web server providers and hope that these companies will quickly release updates to fix the vulnerability.

According to a recent report from the AhnLab Security Emergency Response Center (ASEC), the general process remains unchanged, but the download URL used by these threat actors to install ShellBot has shifted from a regular IP address to a hexadecimal value.

ShellBot, also known as PerlBot, is notorious for infiltrating servers with weak SSH credentials through dictionary attacks. The malware serves as a conduit for executing DDoS attacks and deploying cryptocurrency miners.

This malicious software, encoded in Perl, uses the IRC protocol to communicate with a Command-and-Control (C2) server.

In the recent series of observed ShellBot attacks, the malware is installed using hexadecimal IP addresses, for example, hxxp://0x2763da4e/, which corresponds to 39.99.218[.]78. This tactic appears to be an attempt to evade URL-based detection signatures.

ASEC found that due to the use of the “curl” tool for downloading, which supports hexadecimal values just like web browsers, ShellBot can be successfully downloaded on a Linux system and executed via Perl.

This development underscores that ShellBot continues to be a popular choice for attacks against Linux systems.

Because of ShellBot’s ability to install additional malware or execute various types of attacks from the compromised server, it is strongly recommended to use strong passwords and regularly update them to resist brute force and dictionary attacks.

ASEC also revealed that attackers are using unusual certificates with exceptionally long character strings for the “Subject Name” and “Issuer Name” fields to distribute information-stealing malware like Lumma Stealer and a variant of RedLine Stealer called RecordBreaker.

“This type of malware is distributed through malicious sites easily accessible through search engines (SEO poisoning) and poses a threat to a wide range of unsuspecting users,” ASEC warned. “These malicious sites primarily use keywords related to illegal software such as serial numbers, keygens, and cracks.”

Various versions of Adobe Acrobat and Acrobat Reader were affected by this security vulnerability, including Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020. Adobe had already released a patch for this security flaw in January 2023.

There have been reports of active exploitation of this security vulnerability, but currently, there is limited information available about the attackers and their methods. However, a Proof-of-Concept (PoC) for this security flaw was published in January 2023.

It is advisable for organizations and authorities to act promptly and install the published patches to protect their systems from potential threats.