These vulnerabilities have a high severity rating of 7.5 (High) and 7.8 (High) respectively. One of these vulnerabilities was identified in macOS systems. VMware has taken immediate action to address these issues by releasing patches and issuing security alerts.

CVE-2023-34057: Local Privilege Elevation Vulnerability This vulnerability allows a malicious actor with local user privileges within a guest virtualization machine to exploit and gain elevated privileges within that virtual machine. The severity of this vulnerability is rated 7.8 (High).

CVE-2023-34058: SAML token signature bypass To exploit this vulnerability, a threat actor must have “guest operation privileges”. These privileges determine the ability to interact with files and applications in the guest operating system of a virtual machine. With these privileges, a malicious actor can exploit this vulnerability in a targeted virtual machine and elevate their privileges if the target virtualization machine has a higher privileged guest alias. The severity rating for this vulnerability is 7.5 (High).

Users of these products are strongly advised to update to the latest version to minimize the risk of exploiting these vulnerabilities.

Examination of network traffic to a compromised device revealed that the threat actor updated the implant to include additional header validation. As a result, the implant remains active on many devices, but now only responds if the correct authorization HTTP header is set.

These attacks involve the use of CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) to create an exploit chain that allows the threat actor to access the devices, create privileged accounts, and deploy a Lua-based implant on the devices.

Cisco has initiated the release of security updates to address these issues, with further updates planned for an undisclosed date.

The identity of the threat actor responsible for this campaign remains unknown, but it is estimated that thousands of devices are affected, based on data shared by VulnCheck and attack surface management company Censys. The infections appear to be widespread, and experts suspect that the attackers may be assessing the value of the compromised data.

In recent days there has been a significant drop in the number of compromised devices, from around 40,000 to just a few hundred. Speculation suggests that the threat actor may have made modifications to disguise the presence of the implant.

The discovery of modifications to the implant by Fox-IT explains this sudden drop and shows that over 37,000 devices are still compromised.

Cisco has acknowledged the change in behavior and provided instructions for verifying the presence of the implant using a curl command.

“If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present,” Cisco noted.

The addition of header validation in the implant is considered a defensive measure by attackers to evade detection of compromised systems. This header verification has significantly reduced the visibility of publicly infected systems.

Horizon3.ai subsequently provided the PoC for this vulnerability, which prompted VMware to update its security alert. It’s worth noting that CVE-2023-34051 serves as a workaround for a group of critical vulnerabilities that VMware had already patched in January that could leave users vulnerable to remote code execution attacks. James Horseman emphasized the importance of “Defense in Depth” and explained that an official patch cannot always fully mitigate a vulnerability.

In a related development, Citrix has issued its security alert urging its customers to install updates for CVE-2023-4966, a critical vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability has a CVSS score of 9.4 and has been actively exploited.

In a report shared with The Hacker News, the web infrastructure and security company stated, “The campaign contributed to an overall 65% increase in HTTP DDoS attack traffic in the third quarter compared to the previous quarter. Similarly, L3/4 DDoS attacks increased by 14%.”

During the quarter, the total number of HTTP DDoS attack requests increased to 8.9 trillion, compared to 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023. In Q4 2022, the number of attack requests was 6.5 trillion.

The vulnerability in question, HTTP/2 Rapid Reset (CVE-2023-44487), was publicly disclosed this month following a coordinated industry-wide release. That release revealed DDoS attacks carried out by an unknown actor who exploited the vulnerability to attack various providers, including Amazon Web Services (AWS), Cloudflare and Google Cloud.

Fastly reported in its own release on Wednesday that it had mitigated a similar attack that reached about 250 million RPS and lasted about three minutes.

Cloudflare also noted, “Botnets utilizing cloud computing platforms and exploiting HTTP/2 can generate up to x5,000 more power per botnet node. This allows them to perform hyper-volumetric DDoS attacks with a small botnet of 5-20,000 nodes alone.”

The most targeted industries in HTTP DDoS attacks were gaming, IT, cryptocurrency, computer software and telecommunications. The United States, China, Brazil, Germany and Indonesia were identified as the main sources of application layer (L7) attacks.

On the receiving end of HTTP DDoS attacks, the main targets were the United States, Singapore, China, Vietnam and Canada.

In addition, Cloudflare reported that DNS-based DDoS attacks were the most prevalent for the second consecutive quarter, accounting for nearly 47% of all attacks, an increase of 44% from the previous quarter. SYN floods ranked second, followed by RST floods, UDP floods and Mirai attacks.

One notable change was the decrease in ransomware DDoS attacks, which Cloudflare attributed to attackers realizing that organizations were less likely to pay ransoms.

This information is related to fluctuations in internet traffic and an increase in DDoS attacks following the Israel-Hamas conflict, during which Cloudflare successfully defended against several attempted attacks targeting Israeli and Palestinian websites.

The story of Stefan Thomas is well known in the crypto community. The San Francisco-based crypto entrepreneur owns an encrypted USB hard drive called Ironkey from 2011. He lost the password required to unlock the drive and thus gave up access to a cryptowallet containing 7,002 BTC that he had received for creating a YouTube video titled “What is Bitcoin?”.

In 2011, the value of a single Bitcoin surpassed the 1 US dollar mark, making the value of the USB hard disk relatively insignificant at the time. Currently, one Bitcoin is worth around 32,000 euros, which puts the current value of Thomas’ Ironkey at around 224 million euros, assuming his information about its contents is correct.

Nevertheless, Thomas has not yet gained access to the USB hard disk. He claims to have already tried eight out of ten possible passwords. Two more incorrect attempts would lead to the irrevocable deletion of the contents of the USB hard drive and permanently exclude him from his Bitcoins.

Unciphered has allegedly developed a secret technique that allows them to crack Ironkey passwords. This technique essentially allows an unlimited number of password attempts without erasing the data. With a brute force attack, the password can be determined with sufficient time and computing power.

In one test, Unciphered reportedly needed around 200 trillion attempts with a powerful computer to crack a three-word password, which they managed to do within a day. However, Thomas has so far declined to work with them.

When asked by Wired, the German programmer explained that he had already worked with other experts to recover the USB hard drive, which made him “not free” to negotiate with new parties. Thomas seems determined to give the two other teams he had previously hired more time to crack the Ironkey, although those teams appear to have made little progress.

The vulnerabilities exploited by Unciphered to bypass the Ironkey lock are currently being kept secret. These vulnerabilities are considered too dangerous to be made public, as the affected USB hard drives are too old to be patched with a software update. Many of these hard drives could still be used to store sensitive information. Nick Fedoroff, Director of Operations at Unciphered, warned that such a leak would have more far-reaching implications for national security than the loss of a crypto wallet.