Risky Bulletin: HTTP2 flaw enables massive DDoS attacks - Risky Bulletin

Summary

Risky Bulletin: HTTP2 Flaw Enables Massive DDoS Attacks
Hosted by Claire Aird | August 15, 2025

The latest episode of Risky Bulletin, hosted by Claire Aird and prepared by Catalyn Kim and Panu, delves into several pressing cybersecurity issues impacting both global and national landscapes. This comprehensive summary highlights the key discussions, insights, and conclusions presented in the episode.

1. HTTP/2 Vulnerability Facilitating DDoS Attacks

At the outset of the episode, Claire Aird introduces a critical vulnerability in the HTTP/2 protocol that has significant implications for web security.

Overview of the Vulnerability:
Researchers at Deepness Lab uncovered the "madeyoureset" attack, which exploits a feature in HTTP/2 that allows connections to be cancelled and reset. Exploiting this feature, attackers can continuously initiate new connections before the cancellation of previous ones is complete, leading to resource exhaustion and massive Distributed Denial of Service (DDoS) attacks.
Impact and Mitigation:
This vulnerability poses a substantial threat to web servers, potentially crippling services reliant on HTTP/2. Organizations are urged to monitor developments and apply necessary patches as they become available.

"Attackers can cancel connections, but before the cancellation is complete they can initiate many more, leading to resource exhaustion."
— Claire Aird [02:15]

2. U.S. Government Embeds Trackers in Chip Shipments

The podcast highlights a controversial move by U.S. authorities to embed tracking devices within semiconductor shipments.

Details of the Tracking Initiative:
According to Reuters, tracking devices are being incorporated into shipments of hardware from companies like Supermicro, AMD, Nvidia, and Dell. These devices aim to detect and prevent the diversion of shipments to adversarial nations, particularly China.
Company Responses and Concerns:
Both Nvidia and Dell have publicly denied any involvement in the installation of these trackers, raising questions about the transparency and security implications of such measures.

"It's unclear where and how shipments are being interdicted," noted Claire Aird [05:40].

3. Expansion of Facial Recognition Vans in the UK

In a move to bolster security measures, the UK is deploying additional facial recognition vans.

Deployment Details:
Ten new vans, each equipped with advanced cameras capable of scanning faces in real-time, will be added to the existing fleet. These vans aim to monitor crowds and assist in the apprehension of wanted individuals.
Scale and Capability:
The new vans are approximately twice the size of those currently in operation, indicating a significant investment in surveillance infrastructure.

"They'll be deployed to scan crowds and help catch wanted people," explained Claire Aird [08:20].

4. Security Breach in Canadian Parliament

A notable security incident involving Canada's Parliament was discussed, emphasizing the ongoing threats to governmental digital infrastructure.

Incident Overview:
Canadian authorities are investigating a breach in the House of Commons where hackers exploited a recent Microsoft vulnerability. The intruders accessed a central database, stealing non-public data related to employees and government-issued devices.
Response and Impact:
The breach occurred last Friday, and details remain limited as officials aim to prevent public panic.

"They allegedly stole non public data about employees and government issued devices," Claire Aird reported [11:05].

5. Russia Tightens Control Over Messaging Apps

The episode covers Russia's intensified regulation of foreign messaging platforms.

Restrictions Implemented:
Russia's Internet watchdog, Roscomnadzor, has begun limiting WhatsApp and Telegram voice and video calls, citing their use in fraud and terrorist activities. Additionally, the Kremlin mandates that government officials transition their Telegram channels to the domestic app MAX.
Future Implications:
Official MAX accounts are expected to launch in the coming weeks, marking a significant shift in governmental communication protocols.

"The Kremlin has ordered government officials to migrate their telegram channels to the country's domestic messaging app, MAX," Claire Aird stated [14:30].

6. Cyber Attack on Polish Water Supply

Poland faced a cyber threat targeting its essential infrastructure.

Attack Details:
A cyber assault aimed at disrupting the water supply of a major city was reportedly thwarted by Polish authorities. The Deputy Prime Minister, Krzysztof Gabgowski, refrained from disclosing the city's name or the identities of the attackers to avoid public alarm.

"Authorities blocked the attack," confirmed Claire Aird [17:10].

7. Iranian Journalists Targeted by Hackers

The podcast sheds light on cyber espionage activities targeting Iranian media personnel.

Identification of Perpetrators:
Iran International traced the hack to Ali Bermud, a 27-year-old from Tabriz, linked to the Handala hacking group. The group operated via Telegram channels under the directives of Iran's intelligence agency, the MOIS.

"He ran the group's Telegram channel and took orders from Iran's intelligence agency," Claire Aird mentioned [19:45].

8. MyDocs Group Exploits Italian Hotel Data

A concerning data breach affecting the hospitality sector in Italy was discussed.

Breach Details:
The MyDocs group claims responsibility for hacking three unnamed Italian hotels between June and July, obtaining over 70,000 scanned passports and IDs. As of Thursday, more than 7,000 scans have been leaked, according to the Italian CERT.

"They stole more than 70,000 scanned passports and IDs," reported Claire Aird [22:00].

9. Cryptocurrency Exchange Hacks

Two significant breaches affecting cryptocurrency exchanges were highlighted.

BTC Turk and Another Exchange:
The Turkish cryptocurrency exchange, BTC Turk, was hacked twice, losing a total of $104 million ($49 million in the recent attack and $55 million last June). Following the latest breach, BTC Turk suspended operations to address the security lapse.

"BTC Turk also lost $55 million to a hack last June," Claire Aird noted [24:30].

10. Cloud Service Disruption at Colt

A cybersecurity incident has impacted Colt, a prominent cloud service provider.

Service Outage:
Colt's customer support portal and Voice API platform have been offline for at least three days. The company is collaborating with cybersecurity experts to investigate and resolve the issue.

"Colt says it's working with experts to investigate the incident," Claire Aird explained [27:15].

11. Monero Blockchain Under Threat

Concerns are rising within the cryptocurrency community regarding the security of the Monero blockchain.

Qubic's Control:
A company named Qubic claims to control over half of Monero's mining capacity, raising fears of a potential 51% attack that could allow for blockchain manipulation or transaction censorship. Qubic describes its actions as a "proof of concept" and an experimental endeavor.

"Users are worried Qubic may be able to execute a 51% attack," Claire Aird stated [29:50].

12. Sanctions on Russian Cryptocurrency Exchange Grinex

The U.S. Treasury Department has imposed sanctions on a Russian crypto exchange.

Grinex Sanctions:
Grinex, launched shortly after the FBI seized the GarretneX platform in March, is now sanctioned by the U.S. Treasury. Funds from GarretneX were reportedly transferred to Grinex wallets following the takedown. GarretneX itself was previously sanctioned in 2022 for facilitating money laundering linked to hacks and ransomware.

"The U.S. treasury Department has sanctioned Russian cryptocurrency exchange Grinex," Claire Aird informed listeners [33:20].

13. Legal Action Against Zelle for Fraud

The state of New York is taking legal steps against the payment platform Zelle over allegations of enabling fraud.

Lawsuit Details:
New York Attorney General Letitia James announced that scammers have siphoned over $1 billion from Zelle users between 2017 and 2023. The lawsuit accuses Zelle of prioritizing growth over implementing essential anti-fraud measures and failing to assist or reimburse affected users. Zelle is operated by a consortium of major American banks, including JPMorgan Chase, Bank of America, Capital One, and Wells Fargo.

"Scammers stole more than $1 billion from Zelle users," Claire Aird reported [36:45].

14. Arrests in Thailand for SMS Fraud

Two individuals in Thailand have been apprehended for their involvement in fraudulent SMS activities.

Details of the Arrests:
The suspects operated an SMS blaster from their vehicle in Bangkok, allegedly recruited via Telegram by a Chinese individual who compensated them $75 daily. Law enforcement agencies tracked and arrested the duo last week after monitoring their device activities.

"They were arrested last week after a local telco tracked down their device," Claire Aird explained [40:10].

15. Emergence of NFC Payment Malware in Brazil

A new Android Trojan targeting NFC payment transactions has surfaced in Brazil.

Malware Details:
Threat Fabric identified the "Phantom Card Trojan," which mirrors one prevalent in the Chinese underground. The malware's developer is known for adapting foreign ransomware for the Brazilian market. Similar NFC relay malware has also been detected in Russia, China, Indonesia, and Czechoslovakia.

"NFC relay malware has now been seen in Russia, China, Indonesia and Czechiya," Claire Aird noted [42:55].

16. Exploitation of Zero Days in Enable’s N-Central Platform

The podcast discusses vulnerabilities within Enable's remote monitoring and management platform.

Vulnerability Exploits:
CISA reported that threat actors are leveraging 20 zero-day vulnerabilities to execute deserialization and command injection attacks against Enable's N-Central servers. A patch addressing these vulnerabilities was released on Wednesday. Enable asserts that only on-premises servers are affected and that attackers need authentication to exploit these flaws.

"A patch was released on Wednesday," Claire Aird mentioned [45:30].

17. Fortinet Patches Critical Security Flaw

Fortinet has addressed a significant security vulnerability in its FortiWeb firewalls.

Vulnerability Details:
The discovered flaw allowed attackers to forge session cookies and bypass authentication mechanisms. Security researcher Aviv Y identified the vulnerability, now termed the "FORT majeure bug." Fortinet is urging all customers to promptly apply patches to their FortiSIM devices to mitigate potential threats.

"The vulnerability allowed attackers to forge session cookies and bypass authentication," Claire Aird elaborated [48:15].

18. Command Injection Patch Released

A critical security update addressing command injection vulnerabilities has been launched.

Update Details:
The patched issue involves a command injection attack, with practical exploit code available online, suggesting imminent exploitation attempts. Immediate application of the security update is recommended to prevent potential breaches.

"Practical exploit code exists online and exploitation is expected to follow," Claire Aird warned [50:00].

19. Xerox Releases Security Updates for Print Orchestration Platform

Xerox has issued patches for vulnerabilities in its Free Flow Core print orchestration system.

Vulnerability Information:
Two key vulnerabilities have been identified that allow unauthenticated attackers to execute malicious code on the platform. Horizon 3 Security released technical write-ups and proof-of-concept exploits for both flaws, emphasizing the need for immediate updates.

"They patch two vulnerabilities that allow unauthenticated attackers to run malicious code on the platform," Claire Aird reported [52:25].

20. NIST Completes ASCON Cryptographic Standard

The U.S. National Institute of Standards and Technology (NIST) has finalized the ASCON cryptographic standard.

Standard Details:
ASCON comprises four cryptographic algorithms tailored for low-memory Internet of Things (IoT) devices, including RFID tags and implanted medical devices. Initiated in 2023, this standard aims to enhance security in constrained environments.

"It can work with devices as small as RFID tags and implanted medical devices," Claire Aird concluded [55:10].

Conclusion

The episode of Risky Bulletin provides an in-depth analysis of emerging cybersecurity threats and the measures being taken to counteract them. From vulnerabilities in widely-used protocols like HTTP/2 to sophisticated state-sponsored tracking and cyber attacks on critical infrastructure, the discussions underscore the evolving landscape of digital security challenges. Listeners are encouraged to stay informed and vigilant as these issues continue to develop.

For more detailed updates and expert insights, tune into the full episode of Risky Bulletin.

Transcript

Claire Aird (0:04)

An HTTP 2 vulnerability enables DDoS attacks, Russia blocks Telegram and WhatsApp voice calls, attackers abuse a zero day in enable service and the US government is adding trackers to chip shipments this is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 15th of August and this podcast episode is brought to you by Yubico, the inventor of the Yubikey. A new vulnerability in the HTTP 2 protocol can allow threat actors to DDoS web servers. The madeyoureset attack was discovered by researchers at Deepness Lab. It exploits a feature of the HTTP 2 protocol that cancels and resets connections. Attackers can cancel connections, but before the cancellation is complete they can initiate many more, leading to resource exhaustion. In other news, U.S. authorities are hiding tracking devices in chip shipments. According to Reuters, the devices are meant to detect when shipments are diverted to China or other U.S. adversaries. Trackers have been found in shipments of Supermicro AMD, Nvidia and Dell Equipment. Nvidia and Dell both denied involvement in a scheme to install trackers. It's unclear where and how shipments are being interdicted. To deploy the tracking devices, 10 additional facial recognition vans will be deployed across the UK. The vans are equipped with cameras that can scan the faces of people walking by. They'll be deployed to scan crowds and help catch wanted people. The new van's approximately double the size of the UK's available fleet. Canadian authorities are investigating a security breach of the Parliament's House of Commons. Hackers exploited a recent Microsoft vulnerability to gain access to a central database. They allegedly stole non public data about employees and government issued devices, according to an email obtained by the CBC. The hack occurred last Friday. Russia's Internet watchdog has begun restricting WhatsApp and Telegram calls. Roscomnadzor said the messengers have been used to commit fraud and organise terrorist activities. Earlier this week, the country's four largest telcos petitioned the government to ban voice and video calls using foreign apps. The Kremlin has ordered government officials to migrate their telegram channels to the country's domestic messaging app, max. Officials will be allowed to maintain a presence on other messengers, but MAX is mandatory. The official MAX accounts are expected to go live in the coming weeks. Polish officials say a cyber attack attempted to cut the water supply to a large city. Deputy Prime Minister Krzysztof Gabgowski said authorities blocked the attack. He declined to name the city to avoid panic. He also didn't name the attackers. An Iranian independent news outlet has tracked down the spies who hacked its journalists. Iran International identified a member of the Handala hack group as 27 year old Ali Bermud from Tabriz. The outlet said he ran the group's Telegram channel and took orders from Iran's intelligence agency, the mois. A threat actor is selling scanned guest identity documents from Italian hotels. The MyDocs group claimed it obtained the data by hacking three unnamed hotels in June and July. The group said it stole more than 70,000 scanned passports and IDs. It leaked more than 7,000 scans on Thursday, according to the Italian cert. Turkish cryptocurrency exchange has been hacked for $49 million. The company suspended operations on Thursday morning after the funds were taken from its hot wallets. BTC Turk also lost $55 million to a hack last June. A cybersecurity incident is disrupting cloud service provider Colt. The company's customer support portal and its Voice API platform have been offline for at least three days. Colt says it's working with experts to investigate the incident. A company named Qubic claims it now controls more than half of the Monero cryptocurrency mining capacity. Users are worried Qubic may be able to execute a 51% attack to rewrite the Monero blockchain or censor transactions. The company called the takeover a proof of concept and an experiment. The U.S. treasury Department has sanctioned Russian cryptocurrency exchange Grinex. The platform launched days after the FBI seized the Garrentex platform in March. The U.S. treasury said funds from Guarantex were moved into Grinex wallets shortly after the takedown. Garantex was sanctioned in 2022 for laundering funds linked to hacks and ransomware. The state of New York is suing the payment platform Zelle over enabling fraud. According to New York Attorney General Letitia James, scammers stole more than $1 billion from Zelle users between 2017 and 2023. She claims Zelle prioritized growth ahead of basic anti fraud safeguards. The suit accuses the company of ignoring reports of fraud and failing to help or reimburse users. Zelle is owned and operated by a group of four American banks, JPMorgan Chase, bank of America, Capital One and Wells Fargo. Thai authorities have arrested two local men for sending fraudulent SMS messengers. The pair drove around Bangkok with an SMS blaster in the back of a Mazda. They were allegedly recruited on telegram by a Chinese man who paid them $75 a day. They were arrested last week after a local telco tracked down their device and alerted police. An Android Trojan capable of relaying NFC payment transactions has been spotted in Brazil, according to security firm Threat Fabric. The Phantom card Trojan is similar to one active in the Chinese underground. The Trojan's author is known for taking foreign malware and adapting it for Brazil. NFC relay malware has now been seen in Russia, China, Indonesia and Chechiya. Threat actors are exploiting 20 days in the enable n central remote monitoring and management platform. CISA said the zero days allow attackers to carry out deserialization and command injection attacks against N central servers. A patch was released on Wednesday. Enable says the zero days impact only on PREM servers and require threat actors to be authenticated. Fortinet has patched a major security flaw in its Forta web firewalls. The vulnerability allowed attackers to forge session cookies and bypass authentication. The FORT majeure bug was discovered by a security researcher, Aviv Y. Fortnet is also urging customers to patch their fortisim devices. A security update that patches a command injection attack was released on Tuesday. Practical exploit code exists online and exploitation is expected to follow. Xerox has released security updates for the Free Flow core print orchestration platform. They patch two vulnerabilities that allow unauthenticated attackers to run malicious code on the platform. Security firm Horizon 3 has released a technical write up and proof of concept for both vulnerabilities. And finally, the US National Institute of Standards and Technology has finished work on the ASCON cryptographic standard. The standard contains four cryptographic algorithms designed to be used on low memory IoT devices. The agency has been working on the standard since 2023. It can work with devices as small as RFID tags and implanted medical devices. And that is all for this podcast edition. Today's show is brought to you by our sponsor ubico. Find them at ubico. Com. Thanks for your company.