1.
 Help  
Technical Articles
F5 SMEs share good practice.
Turn on suggestions
Topics with No Replies | Recent Solutions | Contact DevCentral
Search all content

BIG-IP 13.1.x reaches EoSD on December 31, 2022. Upgrade to 14.1.x or later to ensure access to software patches
beyond this date. See K5903
DevCentral  Technical Articles  Software management, the seasonal return of DDoS -... Options 
Software management, the seasonal return of DDoS - F5 SIRT- This Week in Security: 10/9 - 10/15
Lior_Rotkovitch
F5 SIRT
on ‎
20-Oct-2022 01:14

This Week in Security
October 9th to October 15th, 2022
"Software security management, the seasonal return of DDoS and cyber-attacks will get you to real prison"
Editor's introduction

2.
This week editor is Lior Rotkovitch. October is Cybersecurity Awareness Month and F5 promotes this
event both externally and internally with discussions and knowledge being transfered. This makes you see
over and over the huge impact of security on our day-to-day life in general, and on hardware and software
products and service in specific.
Reading security news lately feels like we have more major challenges to overcome. Yet another CVE
exploitation, more security for software end of life, and what can we do when a 0day will be in our cars?
DDoS is always a for sure way to hit the headlines; and cyber crime will get you to real jail.
My recommendation for this week: One of the high profile topics is the software supply chain problem that
is described nicely at Ryan Naraine's Security Conversations--mentioning that not long ago we all said that
open source was considered a more secure software since more eyes were watching it. They also talk
about the SBOM concept as a good starting point for solving this topic.
Until next time, keep it up. Lior.
Twitter: @rotkovitch
PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin
Automotive Security Threats Are More Critical Than Ever
Over 45,000 VMware ESXi servers just reached end-of-life
Mirai Botnet Hits Wynncraft Minecraft Server with 2.5 Tbps DDoS Attack
Russian DDoS attack project pays contributors for more firepower
US airports' sites taken down in DDoS attacks by pro-Russian hackers
International crackdown on West-African financial crime rings
How Wi-Fi spy drones snooped on financial firm
Security M&A
PoC Published for Fortinet Vulnerability as Mass Exploitation
Attempts Begin
Remember the critical Fortinet CVE that Dharminder mention last week ? This is one of those cases that a
POC and then a operational exploit is being released. This is then fed into the botnets scanning web and
the race to patch that I described begins. So I'm sending my support to the Fortinet security team.
“On Monday, the company made public an advisory and confirmed that the zero-day flaw had
been exploited in at least one attack.
This suggested that the attack observed by Fortinet was likely the work of a sophisticated — likely state-
sponsored — threat actor. However, as more details are coming to light, it’s increasingly likely that CVE-
2022-40684 will be widely exploited.

3.
Penetration testing company Horizon3.ai has made public a PoC exploit that allows an attacker to add an
SSH key to the admin user, enabling the attacker to access the targeted system with administrator
privileges. The firm has also released technical details, and others have created templates for vulnerability
scanners.
There have been several reports over the past day indicating that scanning for systems affected by CVE-
2022-40684 is underway. Threat intelligence firm GreyNoise has seen exploitation attempts coming from
more than 40 unique IPs in the past 24 hours.
WordPress security company Defiant has also seen exploitation attempts, coming from nearly two dozen
IPs."
“Most of the requests we have observed are GET requests presumably trying to determine whether a
Fortinet appliance is in place,” the Wordfence team at Defiant explained. “However, we also found that a
number of these IPs are also sending out PUT requests matching the recently released proof of concept,
[...] which attempts to update the public SSH key of the admin user.”
https://www.securityweek.com/poc-published-fortinet-vulnerability-mass-exploitation-attempts-begin
https://www.darkreading.com/attacks-breaches/concerns-fortinet-flaw-poc-increased-exploit-activity
https://www.bleepingcomputer.com/news/security/exploit-available-for-critical-fortinet-auth-bypass-
b...
Automotive Security Threats Are More Critical Than Ever
Cars have more and more software in them, not just the connectivity WiFi, Bluetooth, LTE but also the
software itself. Like any software, automotive software needs to be sustained with updates. “...supply
chain from OEM factories and legacy systems to component suppliers including those supplying sensors,
ECUs, connections and other communication technology to maintain cohesion across applications.” Now
think about a critical vulnerability on one of the OEM softwares that needs to be patched with exposure to
a million cars?!?!
https://www.securityweek.com/automotive-security-threats-are-more-critical-ever
Over 45,000 VMware ESXi servers just reached end-of-life
Not just supply chain software challenges, what happens when widely used software are in end of life and
in end of support? “Will only receive technical support but no security updates, putting the software at risk
of vulnerabilities.”

4.
https://www.bleepingcomputer.com/news/security/over-45-000-vmware-esxi-servers-just-reached-
end-of-l...
Mirai Botnet Hits Wynncraft Minecraft Server with 2.5 Tbps DDoS Attack
Web infrastructure and security company Cloudflare disclosed this week that it halted a 2.5 Tbps
distributed denial-of-service (DDoS) attack launched by a Mirai botnet. Characterizing it as a "multi-vector
attack consisting of UDP and TCP floods," researcher Omer Yoachimik said the DDoS attack targeted the
Minecraft server Wynncraft in Q3 2022. "The entire 2.5 Tbps attack lasted about 2 minutes, and the peak
of the 26 million rps attack [was] only 15 seconds,"
https://thehackernews.com/2022/10/mirai-botnet-hits-wynncraft-minecraft.html
https://www.securityweek.com/mirai-botnet-launched-25-tbps-ddos-attack-against-minecraft-server
Russian DDoS attack project pays contributors for more firepower
“A pro-Russian group created a crowdsourced project called 'DDOSIA' that pays volunteers launching
distributed denial-of-service (DDOS) attacks against western entities.”
“Volunteers for DDOSIA need to register through Telegram to receive a ZIP archive with the malware
(“dosia.exe”), which contains a unique ID for each user.
Members can link this ID to a cryptocurrency wallet and receive money for participating in DDoS attacks,
payment being proportional to the firepower they provide.”
Top contributors in each attack wave receive 80,000 rubles ($1,250), second-place attackers receive
50,000 rubles ($800), and third-place contributors are compensated with 20,000 rubles ($300).
In the attacks against the U.S. airports, DDOSIA announced that they would distribute payouts to the top
ten contributors, increasing the rewards for the contributors. “
https://www.bleepingcomputer.com/news/security/russian-ddos-attack-project-pays-contributors-for-
mor...

5.
US airports' sites taken down in DDoS attacks by pro-Russian hackers
“The pro-Russian hacktivist group 'KillNet' is claiming large-scale distributed denial-of-service (DDoS)
attacks against websites of several major airports in the U.S., making them unaccessible.
The DDoS attacks have overwhelmed the servers hosting these sites with garbage requests, making it
impossible for travelers to connect and get updates about their scheduled flights or book airport services.”
“KillNet listed the domains yesterday on its Telegram channel, where members and volunteers of the
hacktivist group gather to acquire new targets.”
https://www.bleepingcomputer.com/news/security/us-airports-sites-taken-down-in-ddos-attacks-by-
pro-r...
General – security bits
International crackdown on West-African financial crime rings
https://www.interpol.int/en/News-and-Events/News/2022/International-crackdown-on-West-African-financ...
INTERPOL arrests ‘Black Axe’ cybercrime syndicate members
https://www.bleepingcomputer.com/news/security/interpol-arrests-black-axe-cybercrime-syndicate-
membe...
How Wi-Fi spy drones snooped on financial firm
https://www.theregister.com/2022/10/12/drone-roof-attack/
Wi-Fi drones were used by hackers to penetrate a financial firm's network remotely
https://www.techspot.com/news/96321-drones-helped-hackers-penetrate-financial-firm-network-remotely....
Security M&A
"If you're wondering why Google blew $5b on Mandiant, this may shed some light”
https://www.theregister.com/2022/10/11/google_mandiant_brain/
Security

6.
 F5 SIRT series-F5SIRT-this-week-in-security TWIS
Add tags
1 Kudo
 Edit Comment
Comment PREVIEW
Paragraph           
             


Hint: @ links to members, content
Email me when someone replies
Post Your Comment
Cancel
Version history
Last update:
‎
20-Oct-2022 01:13
Updated by:
Lior_Rotkovitch

7.
View Article History
Contributors
Lior_Rotkovitch
ABOUT DEVCENTRAL
Devcentral News
Technical Forum
Technical Articles
CrowdSRC
Community Guidelines
DevCentral EULA
Get a Developer Lab License
Become a DevCentral MVP
F5 RESOURCES
Product Documentation
White Papers
Glossary
Customer Stories
Webinars
Free Online Courses
F5 Certification
LearnF5 Training
F5 SUPPORT
Manage Subscriptions
Support Portal
Professional Services
Create a Service Request
Software Downloads
F5 PARTNERS
Find a Reseller Partner
Technology Alliances
Become an F5 Partner
Login to Partner Central
CONNECT WITH DEVCENTRAL
©2022 F5, Inc. All rights
reserved.
Trademarks Policies Privacy California Privacy
Do Not Sell My Personal Information Cookie Preferences
  
