{ "id": "9a5fd8c0-dfb2-419c-9d25-c641418f6553", "created_at": "2026-04-06T00:07:41.903094Z", "updated_at": "2026-04-10T03:27:34.966622Z", "deleted_at": null, "sha1_hash": "add01cdbe20243b203f94233391f240c855172b4", "title": "The Good, the Bad and the Ugly in Cybersecurity - Week 41", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1813485, "plain_text": "The Good, the Bad and the Ugly in Cybersecurity - Week 41\r\nBy SentinelOne\r\nPublished: 2023-10-13 · Archived: 2026-04-05 12:50:34 UTC\r\nThe Good | New Resources to Help Fight Ransomware\r\nExtortion and ransomware continue to be the top cyber security concern for many enterprises, not least as we see\r\nthreat actors pushing into new areas such as targeting ESXi servers and exploiting known vulnerabilities to gain\r\ninitial access. Good news then that CISA has launched two new resources this week for combating ransomware\r\ncampaigns.\r\nAs part of its wider Ransomware Vulnerability Warning Pilot (RVWP) scheme, the agency has added a “Known to\r\nbe used in ransomware campaigns” column to its existing Known Exploited Vulnerabilities (KEV) catalog. For\r\nexample, the recent WS_FTP vulnerability (aka CVE-2023-40044) is now marked in the catalog as ‘Known’\r\nunder the new column after reports that threat actors are using multiple attack chains to compromise\r\norganizations.\r\nIn addition, CISA is maintaining a list of “Misconfigurations and Weaknesses Known to Be Used in Ransomware”\r\non its StopRansomware site. This list provides information on weaknesses and misconfigurations that are\r\ncommonly exploited by threat actors in ransomware campaigns and, unlike the previously mentioned KEV\r\nhttps://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/\r\nPage 1 of 4\n\ncatalog, contains information not based on CVEs. For each entry, a short description is provided along with the\r\nname of the vulnerable service and commonly used ports.\r\nCISA says it hopes the new resources will help guide organizations to quickly identify and mitigate vulnerable\r\nsoftware and services that are being actively exploited. Organizations are urged to review the resources regularly\r\nas part of their proactive security measures.\r\nThe Bad | HTTP/2 Rapid Reset Attack Could Overwhelm Unpatched Servers\r\nWhile denial of service attacks may be further down the list of immediate threats for some organizations, there’s\r\nno doubt that DDoS campaigns can cause serious disruption and revenue loss for targeted organizations. Amazon,\r\nCloudflare and Google have all reported this week that a massive campaign of DDoS attacks has been exploiting a\r\nvulnerability in the HTTP/2 protocol stack.\r\nGoogle says the attacks, which began in August and are ongoing today, included one attempt to overwhelm\r\ninternet services that was 7.5 times larger than the last previously recorded largest attack, reaching a peak of 398\r\nmillion requests per second and continuing for two minutes. The service provider says that over two minutes, the\r\nattack generated more requests than the total number of article views on Wikipedia for an entire month.\r\nSource: Google\r\nAnalysis of the attacks showed that threat actors are using a Rapid Reset technique that leverages the stream\r\nmultiplexing capabilities of the HTTP/2 protocol. These capabilities enable clients to have multiple in-flight\r\nrequests open on a single TCP connection. While the number of requests is theoretically limited to 100, by\r\nimmediately canceling each request and then generating further requests, a malicious client can in effect have an\r\nindefinite number of requests in flight. Analysts say that even a modest-sized botnet can leverage this technique to\r\noverwhelm targets’ defenses.\r\nhttps://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/\r\nPage 2 of 4\n\nEnterprises or individuals serving HTTP workloads to the public internet may be at risk from the attack, and\r\norganizations are urged to verify that any vulnerable servers supporting HTTP/2 are patched against CVE-2023-\r\n444887. Multiple vendors have released patches for their products this week.\r\nThe Ugly | China Suspected in Attacks Exploiting Critical Confluence Bug\r\nA zero-day bug in Atlassian’s Confluence software reported last week to be under active exploitation is this week\r\nsaid to be being used by a nation-state actor linked to China, although details remain sparse.\r\nCVE-2023-22515 is rated 10.0, the maximum possible score, on the CVSS severity rating system. The flaw is a\r\ncritical privilege escalation vulnerability in Atlassian Confluence Data Center and Server, affecting versions 8.0.0\r\nthrough 8.5.1, and is exploitable anonymously if the vulnerable server is exposed to the public internet. The bug\r\nallows attackers to create a Confluence administrator account within the application.\r\nWarnings last week of active in-the-wild exploitation were followed up this week in a series of tweets from\r\n@MSFTSecIntel, claiming that a threat actor tracked variously under the names DarkShadow and Oro0lxy was\r\nbehind the activity. Several IP addresses were observed sending exploit traffic:\r\n192.69.90[.]31\r\n104.128.89[.]92\r\n23.105.208[.]154\r\n199.193.127[.]231\r\nThe threat actor has a history of exploiting unpatched web applications. In 2020, the DoJ indicted two Chinese\r\nnationals, Li Xiaoyu (李啸宇) and Dong Jiazhi (董家志) for a long-running campaign spanning 11 countries in\r\nhttps://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/\r\nPage 3 of 4\n\nwhich they stole enterprise data from multiple companies, including Covid vaccine manufacturer, Moderna.\r\nOro0lxy is known to be an online alias of Li. It is alleged that both individuals work on behalf of China’s Ministry\r\nof State Security. Both are currently wanted by the FBI.\r\nOrganizations using the affected versions of Confluence Data Center and Server are urged to update their\r\ninstances as a matter of urgency and to take appropriate threat hunting measures to determine and mitigate any\r\nexisting compromise.\r\nSource: https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/\r\nhttps://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5/" ], "report_names": [ "the-good-the-bad-and-the-ugly-in-cybersecurity-week-41-5" ], "threat_actors": [ { "id": "4db51064-e43e-4495-8e1b-ba6e117e688f", "created_at": "2023-11-05T02:00:08.061541Z", "updated_at": "2026-04-10T02:00:03.394014Z", "deleted_at": null, "main_name": "Storm-0062", "aliases": [ "DarkShadow", "Oro0lxy" ], "source_name": "MISPGALAXY:Storm-0062", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434061, "ts_updated_at": 1775791654, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/add01cdbe20243b203f94233391f240c855172b4.pdf", "text": "https://archive.orkl.eu/add01cdbe20243b203f94233391f240c855172b4.txt", "img": "https://archive.orkl.eu/add01cdbe20243b203f94233391f240c855172b4.jpg" } }