This Week in Cyber 4th November 2022

OpenSSL released a patch for 2 ‘Critical’ vulnerabilities

Over the Halloween weekend, there were reports that OpenSSL had 2 major vulnerabilities within OpenSSL (3.0 – 3.0.6) and that a patch was being prepared for the 1st of November. OpenSSL is widely used and comes with most Linux distributions therefore the vulnerabilities were not made public until the patch went live. The vulnerabilities are tracked as CVE-2022-3602 and CVE-2022-3786, they are both described as buffer overrun vulnerabilities. The vulnerability is triggered by a specially crafted email address which exploits the X.509 certificate verification process. The new OpenSSL 3.0.7 has patched this vulnerability and it is worth noting that OpenSSL 1.x versions are not vulnerable either. The total impact from these vulnerabilities is not yet known however with so many systems using OpenSSL 3.0 it is likely that some systems have been exploited. 

Fodcha DDoS Botnet returns with 1Tbps Traffic Generation Capabilities

The Fodcha DDoS Botnet has made a return in recent months with a few new capabilities. First discovered in April 2022, the Botnet adds to its arsenal through known vulnerabilities in Android or IoT (Internet of Things) devices, as well as through the unsecure Telnet protocol or weak SSH passwords. Fodcha’s actions have been tracked by 360Netlab Researchers since its appearance, and since April, the capabilities have grown exponentially with initial daily victims being around 100 per day, and now being around 1000 per day, with a current peak of 1396 achieved on October 11th. The bots also now use encryption when communicating with the C2 server, making it more difficult for analysts and testers to research the malware and bring it down. Furthermore, they now have 42 C2 servers online, operating 60,000 active bots per day with the ability to generate 1Tbps of traffic and they’ve begun to demand ransoms to stop the attack. Most targets appear to be in the US or China but there are victims in Europe, Russia, Australia, Japan, Brazil, and Canada.

UK National Cyber Security Centre issues 34 million Cyber Alerts in last 12 Months

Yesterday, the UK's National Cyber Security Centre (NCSC) published its annual report for 2022 in an effort to improve the UK's cyber security awareness and resilience. They witnessed a 90% year on year increase in sign-ups and assisted in the removal of around 2.1 million 'high-volume, low sophistication' cyber campaigns between September 2021 and August 2022. The NCSC's Early Warning reports for subscribed users have issued 34 million alerts about attacks, exploits, vulnerabilities, and open ports over the last 12 months. They have also reported an extra 20% in user reports, resulting in a total of 6.5 million in the last year and the removal of 62,000 scam URL's. NCSC CEO Lindy Cameron stated that ransomware 'remains the most acute threat' for UK organisations following their involvement in hundreds of ransomware attacks; 63 being nationally significant and 18 incidents requiring a nationally coordinated response. The NCSC have also been working to prevent Russian attacks on Ukrainian networks since the war broke out in February.

 The full NCSC 2022 Review can be viewed here: https://www.ncsc.gov.uk/collection/annual-review-2022

Popular Android Apps are Redirecting to Malicious Sites

Four apps which have all been released by the same developer, have been found to direct victims to malicious websites. These four apps are all very similar and pose as a Bluetooth auto-connect app named as follows; ‘Bluetooth App Sender’, ‘Bluetooth Auto Connect’, ‘Driver: Bluetooth, Wi-Fi, USB’, ‘Mobile transfer: smart switch’. Malwarebytes have claimed that the apps generate revenue through pay-per-click adds and even attempts to coerce the victim to install addition malware via links. 3 out of the 4 apps have been downloaded over a million times and are still available on the Android app store. Interestingly, the apps wait 4 days before they attempt to start generating revenue and deploying malware which could be a method to bypass the Google Play Store security and/or gain the trust of the user.