DigiCert’s Open-Source Intelligence (OSINT) Report – August 15 – August 21, 2025

HTTP/2 MadeYouReset Vulnerability Enables Massive DDoS Attacks

(TLP: CLEAR) The “MadeYouReset” vulnerability (CVE-2025-8671) exploits a subtle flaw in the HTTP/2 protocol’s stream cancellation mechanism. Normally, clients can cancel requests by sending RST_STREAM frames, but servers are designed to enforce limits on how many concurrent streams a client can open. The original “Rapid Reset” attack abused this by rapidly opening and canceling streams to overwhelm servers. “MadeYouReset” takes this a step further: instead of clients canceling streams, attackers craft requests that trigger the server itself to send RST_STREAM frames—effectively making the server do the canceling. This bypasses built-in concurrency protections, because the server doesn’t count its own cancellations against the client’s stream quota. As a result, attackers can flood the server with requests that appear legitimate but are internally canceled, consuming memory and CPU until the server crashes or becomes unresponsive. This server-side reset trick creates a highly asymmetric attack: a small number of malicious clients can generate massive load on powerful servers, making it ideal for DDoS campaigns. The vulnerability affects nearly all HTTP/2-compliant implementations, and mitigation requires protocol-level changes or aggressive rate-limiting strategies.

(TLP: CLEAR) Comments: The “MadeYouReset” vulnerability presents a striking example of how protocol-level design choices can be exploited. This leads to severe resource exhaustion, including out-of-memory crashes and denial-of-service conditions, even when attacker bandwidth is minimal. The vulnerability affects nearly all HTTP/2-compliant implementations, making it a systemic risk across enterprise environments. All organizations as a step moving forward, should consider utilizing the known CVE Signatures in on their WAF deployments.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server.

(TLP: CLEAR) DigiCert: DigiCert’s Web Application Firewall, UltraWAF, enables you to create your own rules in a variety of formats with the UltraWAF policy editor. Plus, you have the option to continuously add new threats through (signature protection for CVE and CWE, such as CMS vulnerabilities) captured by our threat research team.

Source: https://gbhackers.com/http-2-madeyoureset-vulnerability

1.1 Million Unique Records Identified in Allianz Life Data Leak

(TLP: CLEAR) Hackers linked to the Scattered Spider and ShinyHunters groups have leaked data allegedly stolen from Allianz Life Insurance Company of North America, exposing approximately 1.1 million unique records. The breach targeted a third-party customer relationship management (CRM) system, affecting most of Allianz Life’s 1.4 million customers, financial professionals, and some employees. The leaked data includes names, email addresses, birth dates, phone numbers, and physical addresses. Analysis by Have I Been Pwned revealed that 72% of the compromised email addresses had already appeared in previous breaches. The attackers reportedly used social engineering tactics to infiltrate Salesforce instances across multiple major companies and began leaking stolen data via a Telegram channel—now deleted—after failed extortion attempts. Allianz Life has notified U.S. authorities but has not disclosed the exact number of individuals impacted1.

(TLP: CLEAR) Comments: Hackers recently leaked personal data from Allianz Life Insurance, affecting over a million people. The breach didn’t come from Allianz’s own systems, but from a third-party customer management platform they used. The stolen information includes names, birth dates, email addresses, phone numbers, and home addresses—details that can be used for scams or identity theft. Two well-known cybercriminal groups, Scattered Spider and ShinyHunters, are believed to be behind the attack. After failing to extort money, the hackers began releasing stolen data on Telegram, a messaging app, though the channel was later removed. Allianz Life has notified U.S. authorities but hasn’t confirmed exactly how many people were affected. This incident highlights how even trusted companies can be vulnerable through their partners, and why protecting personal data is more important than ever.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.

(TLP: CLEAR) DigiCert: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”

Source: https://www.securityweek.com/1-1-million-unique-records-identified-in-allianz-life-data-leak/

Oregon man charged with administering “Rapper Bot” DDoS-for-hire Botnet

(TLP: CLEAR) Federal prosecutors have charged an Oregon man, Ethan Foltz, for allegedly operating “Rapper Bot,” one of the most powerful DDoS-for-hire botnets ever documented. Rapper Bot infected tens of thousands of devices—mainly DVRs and WiFi routers—and weaponized them to launch massive Distributed Denial-of-Service (DDoS) attacks. These attacks averaged between 2 to 3 Terabits per second, with some reportedly exceeding 6 Tbps, targeting victims in over 80 countries including U.S. government networks and major tech platforms. From April 2025 onward, Rapper Bot is believed to have executed over 370,000 attacks against 18,000 unique targets. The botnet’s scale and sophistication allowed paying customers to use it for extortion, leveraging its destructive bandwidth to demand ransoms. Investigators estimate that a single 30-second attack at this scale could cost victims anywhere from $500 to $10,000 in lost revenue, customer churn, and bandwidth fees. Law enforcement seized control of the botnet in early August 2025, effectively halting its operations. The takedown was part of Operation PowerOFF, a global effort to dismantle DDoS-for-hire services. The case highlights the growing threat of commercialized cyberattacks and the financial damage they can inflict.

(TLP: CLEAR) Comments: DoS attacks have evolved from crude bandwidth floods into highly sophisticated, weaponized services. The Rapper Bot botnet, for example, leveraged tens of thousands of infected devices to launch attacks exceeding 6 Terabits per second—enough to cripple even enterprise-grade infrastructure. What’s especially alarming is the commercialization of DDoS. Services like Rapper Bot operated as “DDoS-for-hire,” allowing anyone with money to rent destructive power. This lowers the barrier to entry for cybercrime and turns botnets into black-market utilities. The fact that attackers used everyday devices like DVRs and routers also highlights how insecure consumer hardware continues to fuel global cyber threats.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) DigiCert: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

Source: https://www.justice.gov/usao-ak/pr/oregon-man-charged-administering-rapper-bot-ddos-hire-botnet

Threat Actors Exploiting Victims’ Machines for Bandwidth Monetization

(TLP: CLEAR) Threat actors are exploiting a critical vulnerability in GeoServer (CVE-2024-36401) to hijack internet-exposed systems and covertly monetize victims’ bandwidth. Instead of deploying traditional malware, attackers use legitimate software development kits (SDKs) or modified applications that quietly share network bandwidth like how some apps earn passive income through residential proxy services. This stealthy tactic avoids detection by mimicking low-resource, legitimate services rather than noisy cryptominers. The exploit chain begins with remote code execution via GeoTools’ JXPath extension functions, allowing attackers to inject commands and download second-stage payloads from attacker-controlled servers. These payloads create hidden directories and launch Dart-based binaries optimized for Linux, enabling cross-platform persistence. Since March 2025, the campaign has evolved through multiple infrastructure shifts to evade detection, with over 7,000 vulnerable GeoServer instances identified across numerous countries.

(TLP: CLEAR) Comments: The GeoServer exploit (CVE-2024-36401) is a striking example of how threat actors are shifting tactics—from deploying noisy malware to monetizing victims’ machines through stealthy bandwidth hijacking. What makes this campaign especially notable is its use of legitimate SDKs and modified apps that mimic benign monetization models, such as residential proxy sharing. This allows attackers to profit from victims’ network resources without triggering traditional malware alarms or consuming noticeable system resources

(TLP: CLEAR) Recommended best practices/regulations: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.

(TLP: CLEAR) DigiCert: DigiCert’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.

Source: https://gbhackers.com/threat-actors-exploiting-victims-machines/

Scattered Spider hacker gets sentenced to 10 years in prison

(TLP: CLEAR) Scattered Spider is known for sophisticated social engineering tactics, including phishing, MFA bombing, and impersonation. The group has targeted major companies like MGM Resorts, Coinbase, Reddit, and Riot Games, often partnering with ransomware outfits such as Qilin and RansomHub. Their attacks have shifted from retail and insurance sectors to aviation and transportation industries, and multiple members have been arrested in recent years. Noah Michael Urban, a key member of the Scattered Spider cybercrime group, has been sentenced to 10 years in prison after pleading guilty to wire fraud and conspiracy charges. Operating under aliases like “King Bob” and “Gustavo Fring,” Urban and his associates stole millions from cryptocurrency wallets between 2021 and 2023 using SMS phishing and SIM swap attacks. They hijacked victims’ phone numbers and email accounts to gain access to sensitive data and financial assets. Despite prosecutors requesting an eight-year sentence, the judge imposed a 120-month term and ordered Urban to pay $13 million in restitution. Urban claimed the sentence was unfair, citing his age and alleging that another group member had hacked the judge during the case.

(TLP: CLEAR) Comments: The sentencing of Noah Michael Urban, a key member of the Scattered Spider cybercrime group, marks a significant milestone in the fight against modern digital extortion. His 10-year prison term—two years longer than prosecutors initially requested—signals that courts are beginning to treat cyber-enabled financial crimes with the same gravity as traditional theft. What’s especially notable is the scale and sophistication of Scattered Spider’s operations: they didn’t just steal cryptocurrency through SIM swaps and phishing—they infiltrated major corporations, looted intellectual property, and partnered with ransomware gangs like Qilin and RansomHub to amplify their impact

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: DigiCert’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.

Source: https://www.bleepingcomputer.com/news/security/scattered-spider-hacker-gets-sentenced-to-10-years-in-prison/