norm. threat bulletin: 09th August 2023

Norm threat bulletin

Ubuntu users at risk with OverlayFS privilege escalation

Ubuntu is one of the most used Linux distributions there is, something that will have bad actors rubbing their hands together. With a new flaw that has been estimated that it effects as many as 40% of users it’s important to act now to secure your systems.

Two recent flaws have been discovered by Wiz Research CVE-2023-32629 and CVE-2023-2640 that may require you to need to act. They are “two easy-to-exploit privilege escalation vulnerabilities in the OverlayFS module in Ubuntu affecting 40% of Ubuntu cloud workloads.” According to Sagi Tzadik and Shir Tamari.

The OverlayFS module in Ubuntu is a common Linux file system that has risen in popularity with the use of containers as its features enable the deployment of dynamic file systems based on pre-built images. It allows the combination of two directory trees or file systems, the upper and lower one. OverlayFS is an attractive attack surface as it has a history of numerous logical vulnerabilities that were easy to exploit, in the past the vulnerabilities have worked out of the box without any changes.

Why are the two vulnerabilities exclusive to Ubuntu. This is because Ubuntu made several changes to the OverlayFS module in 2018, this did not bring a vulnerability risk until 2020 when a security vulnerability was discovered and patched in the Linux kernel. Due to the earlier modifications by Ubuntu a vulnerability was never fixed in Ubuntu for OverlayFS.

With Ubuntu having now fixed the vulnerability on 24th July 2023, you should update your kernels to the latest version. There is a large list of Ubuntu versions, and we recommend that you check the Ubuntu CVE links at the bottom of this to determine if you have a vulnerable version.

By utilising norm.’s Vulnerability Patch Management module, customers can ensure they are protected against vulnerabilities disclosed via vendor bug bounty programs.

GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
CVE-2023-32629 | Ubuntu
CVE-2023-2640 | Ubuntu

Ransomware delivery via URLs is on the rise

Email attachments were the primary distribution method used by Ransomware gangs in 2021, but researchers at Palo Alto Networks’ Unit 42 have unveiled a transition to distribution URLs which accounted for over 75% of ransomware delivery in 2022.

Protocols used to deliver Ransomware in 2022. Source: Palto Alto Unit 422

This move toward URL delivery methods may increase attacker agility to make ransomware easier to distribute and harder for authorities to take down.

Unit42 noticed that ransomware hosting has become more polymorphic, with many different ransomware samples being hosted on single domains and vice versa. Domains hosting ransomware were often left up for several days after detection. In fact, two of the URLs included in the report are still active with one still hosting a Teslacrypt ransomware executable. Besides .com and .net top level domains, there has also been an increase in geographic top-level domains including .ru and .cn used to host ransomware malware.

Ransomware binaries were often being hosted on compromised web servers, which is a clear indicator to server administrators to keep on top of security patches to mitigate threats from known vulnerabilities.

By utilising norm.’s managed Threat Detection & Response module, you can ensure that your devices are monitored 24×7 for ransomware delivery and detonation, and that your web traffic is inspected to detect malicious activity.

Ransomware Delivery URLs: Top Campaigns and Trends (

Preface into the world of social media scams fueled by automation

Social media scams fueled by automation are on the rise, and they present a significant threat to users worldwide. Cyber criminals use scams as the first step to trick victims into voluntarily giving up sensitive information or money. With the vast popularity and public nature of social media platforms, fraudsters can easily target a massive number of individuals and engage in “socially engineered” scams by accessing substantial amounts of personal data. Fake profiles and accounts, created using AI-generated photos and data, make it challenging to identify these scams, as they closely resemble authentic profiles. Additionally, chatbots designed to mimic human conversations and deepfake technology further complicate the issue, making it harder for users to spot fraudulent activities.

The surge in social media scams is evident from the statistics presented by Group-IB. Scam activity has tripled from 2021 to 2022, with a growing automation of scam operations. Social media is the most common vector used by fraud efforts targeting corporations in the Middle East and Africa (MEA), accounting for 92% of cases. Scams have outpaced other financially motivated cyber crimes in 2021, making up 57% of all cases. Developing nations, especially in the Asia-Pacific region, have experienced a significant increase in scam resources per brand, climbing by 211% annually on average. The financial sector has been the most frequently targeted industry, and automation plays a major role in these scams, causing significant financial losses.

Examples of social media being utilised in scams include:

1) The discovery of 600 hacked Instagram profiles that were being used to send phishing links to Indonesian victims in the APAC region.

2) Scammers have mustered the art of posing as some of the biggest firms in the MEA region on social media to prey on job seekers, football fans and people trying to hire a domestic worker.

3) Free to use domains, such as .gq and .ml, also increased in popularity in the second half of 2022, accounting for 8.0% and 7.8% of scam domains, respectively.

To combat the escalating threat of AI-driven social media scams, it is crucial for social media companies to invest in advanced AI-driven detection and prevention systems that can identify and eliminate fraudulent profiles, chatbots, and deepfakes. Users must exercise caution when interacting with unfamiliar profiles or clicking on suspicious links and take extra care to protect their personal information. Collaboration between social media platforms and users is essential in preventing attacks and creating secure online environments. Educating users on recognizing malicious emails and suspicious content, as well as promoting cautious behaviour online, can also play a significant role in countering the risks posed by these scams.

Average Number of Resources for a Scam (Help-Net Security) (
Social Media Scam Numbers – Consumer International (
The Role of AI in Fueling Social Media Scams – TS2 Space – (

Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: