Critical HTTP/2 Flaw, Emerging Latrodectus Malware, and a Preventable Microsoft Exchange Breach

Welcome back to a LinkedIn edition of Mandos Way Newsletter. Each week I share 5 cybersecurity news, tools, startup market updates, and must-read articles with security professionals, CISOs and tech leaders. It's the only newsletter you need to stay ahead in cybersecurity!

It's been another eventful week in the world of cybersecurity, with a range of critical incidents and developments that have caught my attention.

From the discovery of severe HTTP/2 vulnerabilities that can enable devastating denial-of-service attacks, to the emergence of a new malware strain called Latrodectus that may be a successor to the infamous IcedID banking trojan, this week has been packed with important news.

Let's dive in!

New JSOutProx Malware Targets Financial Institutions in APAC and MENA

• JSOutProx is a sophisticated malware that utilizes JavaScript and .NET to interact with a core module on the victim's machine, enabling it to load various plugins for additional malicious activities.
• The recent campaign involved hosting malicious payloads disguised as PDF files on GitHub and GitLab repositories, which were quickly removed and recreated to manage multiple payloads and targets.
• While previously targeting financial institutions across Africa, the Middle East, South Asia, and Southeast Asia, the new version of JSOutProx has expanded its scope to the APAC and MENA regions.
• The malware features complex obfuscation, a modular plugin architecture, and the ability to execute various malicious actions, suggesting it may have been developed by actors from China or affiliated with it.

US Cyber Safety Board Releases Report on Preventable Microsoft Exchange Online Intrusion by China-Linked Hackers

• In July 2023, Microsoft reported an intrusion into its Exchange Online system by Storm-0558, a hacking group affiliated with the People's Republic of China.
• The US Cyber Safety Review Board (CSRB) conducted a 7-month independent review of the incident and found that the intrusion was preventable.
• The CSRB attributed the intrusion to Microsoft's deprioritization of enterprise security investments and rigorous risk management, and recommended that Microsoft develop a public plan with timelines for making fundamental, security-focused reforms.
• The report also provided recommendations for cloud service providers and the government, including implementing modern control mechanisms, baseline security practices, and transparent incident/vulnerability disclosure practices, as well as updating the FedRAMP authorization program and incorporating feedback on observed cloud security threats and incidents into NIST standards and frameworks.

HTTP/2 CONTINUATION Flood Vulnerabilities Enable Severe DoS Attacks

• Researcher Barket Nowotarski identified "CONTINUATION Flood" vulnerabilities in various HTTP/2 implementations that can lead to denial of service (DoS) attacks.
• Many HTTP/2 implementations do not properly limit or check CONTINUATION frames, which are used for stitching fragmented header blocks, allowing attackers to send an extremely long string of frames without setting the 'END_HEADERS' flag, causing server crashes due to out-of-memory conditions or CPU resource exhaustion.
• Several HTTP/2 implementations are affected, including Node.js, Envoy, Tempesta FW, amphp/http, Go's net/http and net/http2 packages, Apache Httpd, Apache Traffic Server, and Envoy, leading to memory leaks, excessive memory consumption, and CPU exhaustion.
• The CONTINUATION Flood vulnerabilities pose a significant threat to web servers, as HTTP/2 is widely adopted and the attacks can be difficult to detect without advanced frame analytics, requiring system administrators to promptly upgrade impacted servers and libraries to mitigate the risk of exploitation.

New Latrodectus Malware Emerges as Potential Successor to IcedID

• Latrodectus is a new malware identified by Proofpoint researchers, which was first observed being distributed in email campaigns in late November 2023.
• While investigating Latrodectus, Proofpoint researchers identified patterns in derived IcedID campaign IDs that could be correlated to specific threat actors over time, providing valuable attribution insights.
• Latrodectus was first distributed by initial access broker TA577, known for distributing Qbot, and later used almost exclusively by TA578 since January 2024, acting as a downloader with sandbox evasion functionality.
• Team Cymru's research into Latrodectus infrastructure revealed connections between Latrodectus and IcedID backend infrastructure, indicating the same threat actors are likely responsible for both malware families.

Multiple Healthcare Providers and Vendors Report Data Breaches Affecting Over 300,000 Individuals

• M&D Capital Premier Billing, a billing service provider in Queens, NY, suffered a cyberattack that exposed the personal health information (PHI) of 284,326 individuals, including names, social security numbers, financial data, and medical information.
• Ethos Senior Services, a healthcare provider based in Massachusetts, confirmed a data breach that potentially exposed the PHI of 14,503 individuals, including names, addresses, insurance details, treatment information, and some social security numbers.
• Tri-City Healthcare District in California detected unusual network activity, where an unauthorized party accessed their systems, potentially compromising files containing patient names and social security numbers for 7,847 individuals.
• Dental Health Services experienced a data disclosure error, where an emailing mistake exposed some plan member data to certain employer group customers, although the data was encrypted and no misuse is expected due to the limited nature of the data involved.

Continue reading by subscribing to Mandos Way Newsletter. You will receive top cybersecurity news, tools, startup market updates, and must-read articles every week. No strings attached!