HTTP/2 Zero-Day Vulnerability Results in Record-Breaking DDoS Attacks
Earlier today, Cloudflare, along with Google and Amazon AWS, disclosed the existence of a novel zero-day vulnerability dubbed the “HTTP/2 Rapid Reset” attack. This attack exploits a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric Distributed Denial of Service (DDoS) attacks. Cloudflare has mitigated a barrage of these attacks in recent months, including an attack three times larger than any previous attack we’ve observed, which exceeded 201 million requests per second (rps). Since the end of August 2023, Cloudflare has mitigated more than 1,100 other attacks with over 10 million rps — and 184 attacks that were greater than our previous DDoS record of 71 million rps.
Social Dominates as Victims Take $2.7bn Fraud Hit
Fraud victims lost $2.7bn to scammers operating on social media between January 2021 and June 2023, according to new research from the FTC. The consumer protection agency said the sum of money lost to fraud on sites like Instagram and Facebook dwarfed that lost via regular websites and apps ($2bn), phone calls ($1.9bn) and email ($900m). Most common on social media were reports of online shopping scams (44%) – particularly clothing and electronics that were purchased but never arrived. Investment (20%) and romance fraud (6%) were also common during the period.
curl vulnerabilities ironed out with patches after week-long tease
After a week of rampant speculation about the nature of the security issues in curl, the latest version of the command line transfer tool was finally released today. Described by curl project founder and lead developer Daniel Stenberg as “probably the worst curl security flaw in a long time,” the patches address two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546. We now know the first vulnerability, CVE-2023-38545, is a heap-based buffer overflow flaw that affects both libcurl and the curl tool, carrying a severity rating of “high.”
Child Sexual Abuse Content and Online Risks to Children on the Rise
Certain online risks to children are on the rise, according to a recent report from Thorn, a technology nonprofit whose mission is to build technology to defend children from sexual abuse. Research shared in the Emerging Online Trends in Child Sexual Abuse 2023 report, indicates that minors are increasingly taking and sharing sexual images of themselves. This activity may occur consensually or coercively, as youth also report an increase in risky online interactions with adults.
Kaspersky calls for ethical use of AI in cybersecurity
The rapid development of AI systems, and the attempts to introduce them ubiquitously, are a source of both optimism and concern. AI can help humans in many different areas — as the cybersecurity industry knows firsthand. We at Kaspersky have been using machine learning (ML) for almost 20 years, and know for a fact that without AI systems it’s simply not possible to defend against the huge array of cyberthreats out there. During this time we’ve also identified a wide range of issues associated with AI — from training it on incorrect data to malicious attacks on AI systems and using AI for unethical purposes.