Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.

*   Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.  
*   The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain.  
*   Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT,  as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. 
*   We found a few placeholders for base64 encoded PowerShell scripts in the PowerRAT, indicating that the threat actor is actively developing their tools.  

**Victimology **

Talos assesses with high confidence that the threat actor is targeting Russian-speaking users based on the language used in the Phishing emails, luring contents of Malicious documents, a masqueraded HTML webpage of Vkontake (VK), a popular social media application amongst Russian speakers, especially in Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, and Azerbaijan.  

 

 

**Actor uses Gophish to send phishing emails **

Our analysis of the malicious hyperlinks embedded in the phishing emails disclosed to us the attacker-controlled hosting domains disk-yanbex\[.\]ru delivered the Malicious Microsoft Word document, and an HTML file embedded with the malicious JavaScript.   

The domain disk-yanbex\[.\]ru resolves to the IP address 34\[.\]236\[.\]234\[.\]165, an AWS EC2 instance with the fully qualified domain name ec2-34-236-234-165\[.\]compute-1\[.\]amazonaws\[.\]com, during our analysis. We also observed that the same server 34\[.\]236\[.\]234\[.\]165 was reverse resolving to another domain e-connection\[.\]ru, which also delivered malicious JavaScript-embedded HTML files. Our further analysis of the server 34\[.\]236\[.\]234\[.\]165 disclosed to us that the actor hosted the Gophish toolkit on the server running at port number 3333. Gophish is an Open-Source easy-to-deploy phishing toolkit that is developed to conduct security awareness training according to the tool’s developer.  

Attacker hosting Gophish.

Talos analysis of the phishing email sample’s header showed us that the email was first delivered from server 34\[.\]236\[.\]234\[.\]165, indicating that the threat actor is misusing the Gophish framework in this campaign to deliver phishing emails to their targets.   

Sample Phishing email header. 

**Multi-modular Campaign delivers PowerRAT and DCRAT  **

The campaign has two initial attack vectors, one based on malicious Word documents and another based on HTML files containing malicious JavaScript. Upon activation, these would lead to the download and activation of PowerRAT or DCRAT depending on the initial vector. Both the attack chains require user intervention to trigger the infections on the compromised machines. 

**Maldoc-based infection delivers PowerRAT **

When a victim opens the Microsoft Word document and enables the view contents button displayed in the document banner, the malicious VB macro program executes.  

The macro program initially executes a function that decodes or translates specific encoded symbols in the lure contents of the Word document into their corresponding characters from another alphabet in Cyrillic, transforming the lure contents into readable form. 

We spotted a base64 encoded data blob on the third page of the Word document and the actor used the text color the same as that of the document's default background color, hiding them from the victim’s view.  

To identify the hidden encoded data, the macro executes a function that searches for specific strings such as “DigitalRSASignature:” and “CHECKSUM” in the content section of the Word document, and when found, it copies the data following the search strings to an array.  

To decode the base64 encoded data blob, the actor uses a custom function called CheckContent() in the macro. It removes any “=” characters which are the padding characters in the encoded data blob and decodes them into two parts in a byte array. The first part is the contents of a malicious HTML application (HTA) file and the second is a PowerShell loader.  

The macro drops the decoded contents of the malicious HTA file to “UserCache.ini.hta” and the PowerShell loader into “UserCache.ini” in the victim machine's current user profile folder.   

The actor has abused the Windows NT current version autorun registry key called “LOAD”. The registry key “HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LOAD” is used by Windows to automatically launch applications or processes when a user logs into their account. Specifically, this key stores information about programs that are set to load upon user login. It works similarly to other startup mechanisms in Windows (such as the Startup folder or the Run registry keys), but this specific key is less commonly used. The macro after dropping the malicious HTA and the PowerShell loader script in the victim machine user profile folder, it configures the registry key “HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LOAD” with the value “C:\\Users\\<Username>\\UserCache.ini.hta”. 

Finally, the macro checks if there are any headers in the Word documents and deletes the contents of the headers from all sections of the Word document.  

The malicious HTA “UserCache.ini.hta” is executed through the LOAD registry key when a victim logs into the machine. It drops a JavaScript called “UserCacheHelper.lnk.js” in the victim machine user profile folder and writes a single line code embedding with a PowerShell command to execute the dropped PowerShell Loader masquerading as “UserCache.ini” file. The HTA file executes the JavaScript “UserCacheHelper.lnk.js” using the LOLbin “cscript.exe”. 

Sample of malicious HTA file.

The dropped JavaScript “UserCacheHelper.lnk.js” loads the contents of the “UserCache.ini” and executes it using the Invoke-Expression PowerShell command. The PowerShell Loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine memory.   

Sample PowerShell Loader script embedded with PowerRAT.

**PowerRAT expands the attack vector for further infections  **

Talos discovered a new PowerShell remote access tool as one of the payloads in this campaign we are calling PowerRAT that executes in the victim’s machine memory. It has the functionality of executing other PowerShell scripts or commands as directed by the C2 server, enabling the attack vector for further infections on the victim machine.   

The PowerRAT that executes in the victim machine memory initially checks if the JavaScript “UserCacheHelper.lnk.js” exists in the user profile folder and if not found, it will reinfect the victim machine by performing the actions of the PowerShell loader script described in the previous section. Then it hides the “UserCache.ini” by modifying the file attributes to “Hidden”. 

The PowerRAT performs reconnaissance on the victim’s machine by executing a function GetID() which collects the username, computer name, and the system driver letter through the PowerShell command Get-CimInstance. It also collects the drive serial number through the win32\_volume class of WMIobject.  The collected data is written to memory in the format <Computername\_Username\_drive serial number>. 

After performing the reconnaissance, the PowerRAT attempts to connect to the C2 server by sending the collected data of the victim’s machine using a hardcoded URL through the HTTP GET method.  The C2 servers identified in this campaign are 94\[.\]103\[.\]85\[.\]47 located in Russia with the ASN 48282 of Hosting Technology LTD and 5\[.\]252\[.\]176\[.\]55 also geographically located in Russia with the ASN 39798 of MivoCloud SRL.  

When there is no response from the C2 server, the PowerRAT has a placeholder function called offlineworker() that has the functionality to decode an embedded base64 encoded string of a PowerShell script and executes it using the Invoke-Expression command. The actor has built this functionality to keep the infection alive in the victim machine even if the victim's environment detects the malicious C2 traffic and blocks the connection. We didn’t see any embedded base64 encoded strings in the PowerRAT sample that we analyzed and is likely a placeholder, indicating that the actor is actively developing and updating their tools.  

The PowerRAT generates a random number between 7 - 23 and pauses its execution for (300 + random number) seconds and re-attempts to connect to the C2 server continuously waiting for a response. During our analysis, the C2 servers were not responding, and still, our further analysis of the PowerRAT showed us that the C2 server will likely respond with an XML configuration file having multiple modules with embedded base64 encoded PowerShell commands or scripts.   

The PowerRAT has the functionality to parse the received XML file and search for the sections called config.  It periodically executes the embedded encoded PowerShell commands or scripts, according to their defined intervals and run limits. The PowerRAT continues to run until all commands or scripts in the config sections are executed the required number of times.   

**HTML-based infection delivers DCRAT **

Talos discovered that the threat actor is also using HTML files embedded with malicious JavaScript in this campaign that are delivered to the victims through the malicious links in the phishing email, leading to the infection of the DCRAT payload.  

When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript. The JavaScript has a base64 encoded data blob of a 7-ZIP archive of a malicious SFXRAR executable. It decodes the embedded base64 encoded data blob into binary data blob with the type “application/octet-stream” in the memory. A download URL for the binary data blob is created using the URL.createObjectURL() method and assigned to a variable in memory. It calls the click() method on the URL of the binary data blob which triggers the download of the binary data to a 7-Zip archive file. The malicious 7-Zip archive masquerades as the VK messenger application archive file in one of the malicious HTML files and another with a Russian name. The actor is using this technique in the JavaScript function to masquerade as the actual download activity of a file over the internet through a browser.  

A victim must inflate the 7-Zip archive manually to run the SFXRAR executable which is masquerading as the legitimate VK application executable which leads to DCRAT infection. The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples.  

When a victim runs the SFX executable, the SFX script drops the packaged files into a folder and executes the batch file which runs another password-protected SFXRAR with the hardcoded password “riverdD” and runs the DCRAT.   

In another sample, we observed that the SFXRAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document.   

Talos observed an overlap of the technique used by the threat actor in this campaign with an earlier SparkRAT attack reported by Hunt researchers in April 2024, indicating that SparkRAT is another payload in the threat actor’s arsenal. 

**GOLoader downloads and runs the DCRAT **

In DCRAT infection, the SFX script runs a malicious Loader executable and simultaneously opens a decoy document. The malicious loader executable we are calling “GOLoader” is compiled in Golang. It modifies the configuration settings for Microsoft Defender Antivirus, specifically by excluding the root directory “C:\\” and the folder “C:\\Users\\$user\\Desktop” in the victim machine by executing the PowerShell commands.  

powershell -Command Add-MpPreference -ExclusionPath 'C:\\Users\\$user\\Desktop'

powershell -Command Add-MpPreference -ExclusionPath 'C:\\'

After configuring the exclusion paths, the GOLoader downloads the DCRAT binary data stream from a remote location through a hardcoded URL and writes it into a dropped executable with the file name “file.exe” in the desktop folder on the victim’s machine. During our analysis, we found that the remote location URL hardcoded in the GOLoader was pointing to a GitHub repository, which was not accessible. However, we found that the hosted payload binary in the GitHub repository is the Dark Crystal RAT (DCRAT) binary based on open-source intelligence data.   

**Threat actor delivers DCRAT **

The payload Dark Crystal RAT (DCRAT) sample that we analyzed in this campaign is a modular RAT associated with plugins to perform the DLL injection and information stealing tasks.  

Key features of the DCRAT sample of this campaign include: 

*   Provides remote control access to the victim machine to the actor who can execute arbitrary commands, manage files, and monitor user activities.  
*   It has the capability of downloading and executing other files on the victim's machine. 
*   With its stealer plugin modules, the RAT can steal sensitive information including credentials, files, and financial information from the victim's machine.  
*   The RAT can take screenshots and capture the keystrokes on the victim's machine. 
*   We found that the RAT creates multiple copies of its binary masquerading as legitimate Windows executables including csrss.exe, dllhost.exe, taskhostw.exe, and winlogon.exe in the folders such as ProgramData, Pictures, Saved Games, and Windows start menu. It drops the embedded modules in the administrator user desktop folder using random file names and with the “.log” file extension.  

C:\\Users\\admin\\Desktop\\zaHrebVC.log

C:\\Users\\admin\\Desktop\\HQLYdHol.log

C:\\Users\\admin\\Desktop\\qJutJUJW.log

C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\taskhostw.exe

C:\\ProgramData\\dllhost.exe

C:\\Users\\Default\\Pictures\\csrss.exe

C:\\Users\\Default\\Saved Games\\winlogon.exe

*   It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process. 

Task Scheduler Commands

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /f

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /f

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\\Users\\Public\\dllhost.exe'" /f

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\\Users\\Public\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\\Users\\Public\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\\Users\\All Users\\dllhost.exe'" /f

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\\Users\\All Users\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\\Users\\All Users\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /f

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "filef" /sc MINUTE /mo 13 /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /f

schtasks.exe /create /tn "file" /sc ONLOGON /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "filef" /sc MINUTE /mo 9 /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /rl HIGHEST /f

*   The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file as shown in the picture and exfiltrates the sensitive data collected from the victim machine. From other DCRAT samples identified in this campaign, we found another C2 URL “hxxp\[://\]cr87986\[.\]tw1\[.\]ru/L1nc0In\[.\]php”.  

Sample of DCRAT configuration file. 

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 63963 – 63970, 63971 and 301004. 

ClamAV detections are also available for this threat: 

Win.Downloader.RustAgent-10036537-0 

Win.Downloader.RustAgent-10036538-0 

Win.Downloader.RustAgent-10036539-0 

Win.Downloader.GoAgent-10036540-0 

Win.Backdoor.PowershellRAT-10036541-0 

Win.Phishing.VbsAgent-10036542-0 

Win.Phishing.JsAgent-10036543-0 

Win.Loader.PowershellLoader-10036544-0 

Win.Loader.HtaAgent-10036545-0 

Win.Loader.DonutLoader-10036546-0

**IOCs **

IOCs for this research can be found in our GitHub repository here.

Threat actor abuses Gophish to deliver new PowerRAT and DCRAT

These types of "long-lived" credentials pose a risk for users across all major cloud service providers, and must meet their very timely ends, researchers say.

Source: Artur Marciniec via Alamy Stock Photo

Almost half of organizations have users with "long-lived" credentials in cloud services, making them more likely to be victimized in a data breach.

Long-lived credentials are authentication tokens or keys in the cloud that remain for a long period of time — sometimes valid and sometimes not — ultimately causing major data breaches where attackers have a lengthy open window to compromise credentials.

In Datadog's 2024 "State of Cloud Security" report, the researchers found that long-lived credentials are a widespread issue across all major cloud services, including Google Cloud, Amazon Web Services (AWS), and Microsoft Entra. Not just that, but many of these are even unused, and often are leaked in source code, where they can open access to images and build logs and application artifacts, never expiring and becoming major security risks. 62% of Google Cloud service accounts, 60% of AWS IAM users, and 46% of Microsoft Entra ID applications have an access key older than one year, the researchers found.

Ultimately, organizations struggle to manage these types of credentials, especially at scale, so the researchers at Datadog recommend that long-lived credentials be avoided altogether in order to mitigate this issue. 

"The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed," said Andrew Krug, head of security advocacy at Datadog. "To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use."

**About the Author**

Unmanaged Cloud Credentials Pose Risk to Half of Orgs

Hackers impersonate ESET in phishing attacks targeting Israeli organizations. Malicious emails, claiming to be from ESET, deliver wiper…

Hackers impersonate ESET in phishing attacks targeting Israeli organizations. Malicious emails, claiming to be from ESET, deliver wiper malware. Security researcher Kevin Beaumont exposes the attack. ESET denies direct compromise and points to partner involvement.

In a recent cyberattack, hackers targeted Israeli organizations by impersonating the cybersecurity firm ESET. The attackers sent phishing emails impersonating Slovak-based ESET, warning recipients of state-backed hackers targeting their devices.

The emails included a link to download a non-existent “ESET Unleashed program” that claimed to counter the attack. Clicking the link downloaded a ZIP file containing **wiper malware**, designed to wipe data from the infected device.

Security researcher Kevin Beaumont raised the alarm noting that the hackers had successfully breached ESET’s defences and were hosting malicious files on their servers. The emails were flagged as dangerous by Google, but many recipients may have fallen victim to the deception. 

The email, styled as ESET Advanced Threat Defense Team, and the downloads, styled as ESET Unleashed, contain various ESET DLLs and a file called setup.exe and call out to a legitimate org in Israel-www.oref.org.il. If a victim opened the ZIP file and ran the malware, it would proceed to delete files and data from their device. However, the malware required a physical PC and time to activate its destructive capabilities.

“ESET Israel definitely got compromised, this thing is fake ransomware that talks to an Israeli news org server for whatever reason,” Beaumont wrote in his **blog post**.

ESET responded to the incident by acknowledging that a security incident had occurred at their partner company in Israel, Comsecure, denying that their own infrastructure had been compromised. The official **statement** from ESET on X (Twitter) read:

_“We are aware of a security incident which affected our partner company in Israel last week. Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes. ESET technology is blocking the threat and our customers are secure. ESET was not compromised and is working closely with its partner to further investigate and we continue to monitor the situation.”_

The phishing campaign specifically targeted cybersecurity personnel within Israeli organizations, suggesting that the attackers were aiming to disrupt the country’s digital defences. The emails were sent on October 8th, the day after the anniversary of Hamas’ and other Palestinian militant groups’ armed incursions into Israel. A user on the **ESET Security Forum** quickly noticed the suspicious email and reported it.

The attackers gained access to Comsecure’s infrastructure likely through a security vulnerability or social engineering techniques. They then crafted carefully designed phishing emails that closely resembled ESET’s official style and branding.

The specific threat actor behind the campaign remains unclear. However, the tactics used are similar to those employed by the **pro-Palestine group Handala**, which recently **targeted** Israeli organizations with wiper malware and other cyberattacks. Cybersecurity firm Trellix has described Handala’s attacks as sophisticated and suggested possible links to Iran.

The ESET impersonation campaign is now blocked but it highlights the ongoing threat of phishing attacks and raises concerns about the security of ESET’s partner infrastructure and the potential for future attacks. To prevent similar attacks, organizations should prioritize verifying the authenticity of messages and implement advanced security measures.

1.  **Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack**
2.  **Facebook, Meta, Apple, Amazon Most Impersonated in Phishing Scams**
3.  **UpdateAgent malware variant impersonates legitimate macOS software**
4.  **Hackers Claim 10TB Data Breach at Russian Cybersecurity Firm Dr.Web**
5.  **Internet Crime Complaint Center Impersonated in Malware, Phishing Scam**

Hackers Use Fake ESET Emails to Target Israeli Firms with Wiper Malware

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the brothers is facing life in prison for allegedly seeking to kill people with his attacks.

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running **Anonymous Sudan** (a.k.a. **AnonSudan**), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life in prison for allegedly seeking to kill people with his attacks.

Image: FBI

Active since at least January 2023, AnonSudan has been described in media reports as a “hacktivist” group motivated by ideological causes. But in a criminal complaint, the FBI said those high-profile cyberattacks were effectively commercials for the hackers’ DDoS-for-hire service, which they sold to paying customers for as little as $150 a day — with up to 100 attacks allowed per day — or $700 for an entire week.

The complaint says despite reports suggesting Anonymous Sudan might be state-sponsored Russian actors pretending to be Sudanese hackers with Islamist motivations, AnonSudan was led by two brothers in Sudan — **Ahmed Salah Yousif** **Omer**, 22, and **Alaa Salah Yusuuf Omer**, 27.

AnonSudan claimed credit for successful DDoS attacks on numerous U.S. companies, causing a multi-day outage for Microsoft’s cloud services in June 2023. The group hit **PayPal** the following month, followed by **Twitter/X** (Aug. 2023), and **OpenAI** (Nov. 2023). An indictment in the Central District of California notes the duo even swamped the websites of the **FBI** and the **Department of State**.

Prosecutors say Anonymous Sudan offered a “Limited Internet Shutdown Package,” which would enable customers to shut down internet service providers in specified countries for $500 (USD) an hour. The two men also allegedly extorted some of their victims for money in exchange for calling off DDoS attacks.

The government isn’t saying where the Omer brothers are being held, only that they were arrested in March 2024 and have been in custody since. A statement by the **U.S. Department of Justice** says the government also seized control of AnonSudan’s DDoS infrastructure and servers after the two were arrested in March.

AnonSudan accepted orders over the instant messaging service **Telegram**, and marketed its DDoS service by several names, including “**Skynet**,” “**InfraShutdown**,” and the “**Godzilla botnet**.” However, the DDoS machine the Omer brothers allegedly built was not made up of hacked devices — as is typical with DDoS botnets.

Instead, the government alleges Skynet was more like a “distributed cloud attack tool,” with a command and control (C2) server, and an entire fleet of cloud-based servers that forwards C2 instructions to an array of open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack data to the victims.

**Amazon** was among many companies credited with helping the government in the investigation, and said AnonSudan launched its attacks by finding hosting companies that would rent them small armies of servers.

“Where their potential impact becomes really significant is when they then acquire access to thousands of other machines — typically misconfigured web servers — through which almost anyone can funnel attack traffic,” Amazon explained in a blog post. “This extra layer of machines usually hides the true source of an attack from the targets.”

The security firm **CrowdStrike** said the success of AnonSudan’s DDoS attacks stemmed from a combination of factors, including sophisticated techniques for bypassing DDoS mitigation services. Also, AnonSudan typically launched so-called “Layer 7” attacks that sought to overwhelm targeted “API endpoints” — the back end systems responsible for handling website requests — with bogus requests for data, leaving the target unable to serve legitimate visitors.

The Omer brothers were both charged with one count of conspiracy to damage protected computers. The younger brother — Ahmed Salah — was also charged with three counts of damaging protected computers.

A passport for Ahmed Salah Yousif Omer. Image: FBI.

If extradited to the United States, tried and convicted in a court of law, the older brother Alaa Salah would be facing a maximum of five years in prison. But prosecutors say Ahmed Salah could face life in prison for allegedly launching attacks that sought to kill people.

As Hamas fighters broke through the border fence and attacked Israel on Oct. 7, 2023, a wave of rockets was launched into Israel. At the same time, AnonSudan announced it was attacking the APIs that power Israel’s widely-used “red alert” mobile apps that warn residents about any incoming rocket attacks in their area.

In February 2024, AnonSudan launched a digital assault on the **Cedars-Sinai Hospital** in the Los Angeles area, an attack that caused emergency services and patients to be temporarily redirected to different hospitals.

The complaint alleges that in September 2023, AnonSudan began a week-long DDoS attack against the Internet infrastructure of Kenya, knocking offline government services, banks, universities and at least seven hospitals.

Sudanese Brothers Arrested in ‘AnonSudan’ Takedown

Ubuntu Security Notice 7073-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7073-1October 16, 2024linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp,linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4,linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4,linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-bluefield: Linux kernel for NVIDIA BlueField platforms- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-raspi-5.4: Linux kernel for Raspberry Pi systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Watchdog drivers;  - Netfilter;  - Memory management;  - Network traffic control;(CVE-2024-27397, CVE-2024-38630, CVE-2024-45016, CVE-2024-26960)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1053-xilinx-zynqmp  5.4.0-1053.57  linux-image-5.4.0-1081-ibm      5.4.0-1081.86  linux-image-5.4.0-1094-bluefield  5.4.0-1094.101  linux-image-5.4.0-1101-gkeop    5.4.0-1101.105  linux-image-5.4.0-1118-raspi    5.4.0-1118.130  linux-image-5.4.0-1122-kvm      5.4.0-1122.130  linux-image-5.4.0-1133-oracle   5.4.0-1133.142  linux-image-5.4.0-1134-aws      5.4.0-1134.144  linux-image-5.4.0-1138-gcp      5.4.0-1138.147  linux-image-5.4.0-198-generic   5.4.0-198.218  linux-image-5.4.0-198-generic-lpae  5.4.0-198.218  linux-image-5.4.0-198-lowlatency  5.4.0-198.218  linux-image-aws-lts-20.04       5.4.0.1134.131  linux-image-bluefield           5.4.0.1094.90  linux-image-gcp-lts-20.04       5.4.0.1138.140  linux-image-generic             5.4.0.198.196  linux-image-generic-lpae        5.4.0.198.196  linux-image-gkeop               5.4.0.1101.99  linux-image-gkeop-5.4           5.4.0.1101.99  linux-image-ibm-lts-20.04       5.4.0.1081.110  linux-image-kvm                 5.4.0.1122.118  linux-image-lowlatency          5.4.0.198.196  linux-image-oem                 5.4.0.198.196  linux-image-oem-osp1            5.4.0.198.196  linux-image-oracle-lts-20.04    5.4.0.1133.126  linux-image-raspi               5.4.0.1118.148  linux-image-raspi2              5.4.0.1118.148  linux-image-virtual             5.4.0.198.196  linux-image-xilinx-zynqmp       5.4.0.1053.53Ubuntu 18.04 LTS  linux-image-5.4.0-1081-ibm      5.4.0-1081.86~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1118-raspi    5.4.0-1118.130~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1133-oracle   5.4.0-1133.142~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1134-aws      5.4.0-1134.144~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1138-gcp      5.4.0-1138.147~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-198-generic   5.4.0-198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-198-lowlatency  5.4.0-198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-aws                 5.4.0.1134.144~18.04.1                                  Available with Ubuntu Pro  linux-image-gcp                 5.4.0.1138.147~18.04.1                                  Available with Ubuntu Pro  linux-image-generic-hwe-18.04   5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-ibm                 5.4.0.1081.86~18.04.1                                  Available with Ubuntu Pro  linux-image-lowlatency-hwe-18.04  5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-oem                 5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-oem-osp1            5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-oracle              5.4.0.1133.142~18.04.1                                  Available with Ubuntu Pro  linux-image-raspi-hwe-18.04     5.4.0.1118.130~18.04.1                                  Available with Ubuntu Pro  linux-image-snapdragon-hwe-18.04  5.4.0.198.218~18.04.1                                  Available with Ubuntu Pro  linux-image-virtual-hwe-18.04   5.4.0.198.218~18.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7073-1  CVE-2024-26960, CVE-2024-27397, CVE-2024-38630, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux/5.4.0-198.218  https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1134.144  https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1094.101  https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1138.147  https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1101.105  https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1081.86  https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1122.130  https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1133.142  https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1118.130  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1053.57

Ubuntu Security Notice USN-7073-1

Ubuntu Security Notice 7072-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7072-1October 16, 2024linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop,linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency,linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15,linux-raspi, linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms- linux-lowlatency-hwe-5.15: Linux low latency kernel- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - Watchdog drivers;  - Netfilter;  - Network traffic control;(CVE-2024-38630, CVE-2024-27397, CVE-2024-45016)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1037-xilinx-zynqmp  5.15.0-1037.41  linux-image-5.15.0-1054-gkeop   5.15.0-1054.61  linux-image-5.15.0-1064-ibm     5.15.0-1064.67  linux-image-5.15.0-1064-raspi   5.15.0-1064.67  linux-image-5.15.0-1066-intel-iotg  5.15.0-1066.72  linux-image-5.15.0-1066-nvidia  5.15.0-1066.67  linux-image-5.15.0-1066-nvidia-lowlatency  5.15.0-1066.67  linux-image-5.15.0-1068-kvm     5.15.0-1068.73  linux-image-5.15.0-1069-oracle  5.15.0-1069.75  linux-image-5.15.0-1070-gcp     5.15.0-1070.78  linux-image-5.15.0-1071-aws     5.15.0-1071.77  linux-image-5.15.0-124-generic  5.15.0-124.134  linux-image-5.15.0-124-generic-64k  5.15.0-124.134  linux-image-5.15.0-124-generic-lpae  5.15.0-124.134  linux-image-5.15.0-124-lowlatency  5.15.0-124.134  linux-image-5.15.0-124-lowlatency-64k  5.15.0-124.134  linux-image-aws-lts-22.04       5.15.0.1071.71  linux-image-gcp-lts-22.04       5.15.0.1070.66  linux-image-generic             5.15.0.124.124  linux-image-generic-64k         5.15.0.124.124  linux-image-generic-lpae        5.15.0.124.124  linux-image-gkeop               5.15.0.1054.53  linux-image-gkeop-5.15          5.15.0.1054.53  linux-image-ibm                 5.15.0.1064.60  linux-image-intel-iotg          5.15.0.1066.66  linux-image-kvm                 5.15.0.1068.64  linux-image-lowlatency          5.15.0.124.112  linux-image-lowlatency-64k      5.15.0.124.112  linux-image-nvidia              5.15.0.1066.66  linux-image-nvidia-lowlatency   5.15.0.1066.66  linux-image-oracle-lts-22.04    5.15.0.1069.65  linux-image-raspi               5.15.0.1064.62  linux-image-raspi-nolpae        5.15.0.1064.62  linux-image-virtual             5.15.0.124.124  linux-image-xilinx-zynqmp       5.15.0.1037.41Ubuntu 20.04 LTS  linux-image-5.15.0-1054-gkeop   5.15.0-1054.61~20.04.1  linux-image-5.15.0-1064-ibm     5.15.0-1064.67~20.04.1  linux-image-5.15.0-1066-intel-iotg  5.15.0-1066.72~20.04.1  linux-image-5.15.0-1069-oracle  5.15.0-1069.75~20.04.1  linux-image-5.15.0-1070-gcp     5.15.0-1070.78~20.04.1  linux-image-5.15.0-1071-aws     5.15.0-1071.77~20.04.1  linux-image-5.15.0-124-generic  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-generic-64k  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-generic-lpae  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-lowlatency  5.15.0-124.134~20.04.1  linux-image-5.15.0-124-lowlatency-64k  5.15.0-124.134~20.04.1  linux-image-aws                 5.15.0.1071.77~20.04.1  linux-image-gcp                 5.15.0.1070.78~20.04.1  linux-image-generic-64k-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-generic-hwe-20.04   5.15.0.124.134~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-gkeop-5.15          5.15.0.1054.61~20.04.1  linux-image-ibm                 5.15.0.1064.67~20.04.1  linux-image-intel               5.15.0.1066.72~20.04.1  linux-image-intel-iotg          5.15.0.1066.72~20.04.1  linux-image-lowlatency-64k-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-lowlatency-hwe-20.04  5.15.0.124.134~20.04.1  linux-image-oem-20.04           5.15.0.124.134~20.04.1  linux-image-oem-20.04b          5.15.0.124.134~20.04.1  linux-image-oem-20.04c          5.15.0.124.134~20.04.1  linux-image-oem-20.04d          5.15.0.124.134~20.04.1  linux-image-oracle              5.15.0.1069.75~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.124.134~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7072-1  CVE-2024-27397, CVE-2024-38630, CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-124.134  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1071.77  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1070.78  https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1054.61  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1064.67  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1066.72  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1068.73  https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-124.134  https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1066.67  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1069.75  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1064.67  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.15.0-1037.41  https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1071.77~20.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1070.78~20.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1054.61~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-124.134~20.04.1  https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1064.67~20.04.1 https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1066.72~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-124.134~20.04.1 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1069.75~20.04.1

Ubuntu Security Notice USN-7072-1

Ubuntu Security Notice 7071-1 - A security issue was discovered in the Linux kernel. An attacker could possibly use this to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7071-1October 16, 2024linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-hwe-6.8,linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia,linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle,linux-oracle-6.8, linux-raspi vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:The system could be compromised under certain conditions.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-nvidia-lowlatency: Linux low latency kernel for NVIDIA systems- linux-oem-6.8: Linux kernel for OEM systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-6.8: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-6.8: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-6.8: Linux hardware enablement (HWE) kernel- linux-lowlatency-hwe-6.8: Linux low latency kernel- linux-nvidia-6.8: Linux kernel for NVIDIA systems- linux-oracle-6.8: Linux kernel for Oracle Cloud systemsDetails:A security issue was discovered in the Linux kernel.An attacker could possibly use this to compromise the system.This update corrects flaws in the following subsystems:  - Network traffic control;(CVE-2024-45016)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1013-raspi    6.8.0-1013.14  linux-image-6.8.0-1014-ibm      6.8.0-1014.14  linux-image-6.8.0-1014-oem      6.8.0-1014.14  linux-image-6.8.0-1014-oracle   6.8.0-1014.14  linux-image-6.8.0-1014-oracle-64k  6.8.0-1014.14  linux-image-6.8.0-1015-nvidia   6.8.0-1015.16  linux-image-6.8.0-1015-nvidia-64k  6.8.0-1015.16  linux-image-6.8.0-1015-nvidia-lowlatency  6.8.0-1015.16.1  linux-image-6.8.0-1015-nvidia-lowlatency-64k  6.8.0-1015.16.1  linux-image-6.8.0-1016-gcp      6.8.0-1016.18  linux-image-6.8.0-1017-aws      6.8.0-1017.18  linux-image-6.8.0-47-generic    6.8.0-47.47  linux-image-6.8.0-47-generic-64k  6.8.0-47.47  linux-image-6.8.0-47-lowlatency  6.8.0-47.47.1  linux-image-6.8.0-47-lowlatency-64k  6.8.0-47.47.1  linux-image-aws                 6.8.0-1017.18  linux-image-gcp                 6.8.0-1016.18  linux-image-generic             6.8.0-47.47  linux-image-generic-64k         6.8.0-47.47  linux-image-generic-64k-hwe-24.04  6.8.0-47.47  linux-image-generic-hwe-24.04   6.8.0-47.47  linux-image-generic-lpae        6.8.0-47.47  linux-image-ibm                 6.8.0-1014.14  linux-image-ibm-classic         6.8.0-1014.14  linux-image-ibm-lts-24.04       6.8.0-1014.14  linux-image-kvm                 6.8.0-47.47  linux-image-lowlatency          6.8.0-47.47.1  linux-image-lowlatency-64k      6.8.0-47.47.1  linux-image-nvidia              6.8.0-1015.16  linux-image-nvidia-64k          6.8.0-1015.16  linux-image-nvidia-lowlatency   6.8.0-1015.16.1  linux-image-nvidia-lowlatency-64k  6.8.0-1015.16.1  linux-image-oem-24.04           6.8.0-1014.14  linux-image-oem-24.04a          6.8.0-1014.14  linux-image-oracle              6.8.0-1014.14  linux-image-oracle-64k          6.8.0-1014.14  linux-image-raspi               6.8.0-1013.14  linux-image-virtual             6.8.0-47.47  linux-image-virtual-hwe-24.04   6.8.0-47.47Ubuntu 22.04 LTS  linux-image-6.8.0-1014-oracle   6.8.0-1014.14~22.04.1  linux-image-6.8.0-1014-oracle-64k  6.8.0-1014.14~22.04.1  linux-image-6.8.0-1015-nvidia   6.8.0-1015.16~22.04.1  linux-image-6.8.0-1015-nvidia-64k  6.8.0-1015.16~22.04.1  linux-image-6.8.0-1016-gcp      6.8.0-1016.18~22.04.1  linux-image-6.8.0-1017-aws      6.8.0-1017.18~22.04.1  linux-image-6.8.0-47-generic    6.8.0-47.47~22.04.1  linux-image-6.8.0-47-generic-64k  6.8.0-47.47~22.04.1  linux-image-6.8.0-47-lowlatency  6.8.0-47.47.1~22.04.1  linux-image-6.8.0-47-lowlatency-64k  6.8.0-47.47.1~22.04.1  linux-image-aws                 6.8.0-1017.18~22.04.1  linux-image-gcp                 6.8.0-1016.18~22.04.1  linux-image-generic-64k-hwe-22.04  6.8.0-47.47~22.04.1  linux-image-generic-hwe-22.04   6.8.0-47.47~22.04.1  linux-image-lowlatency-64k-hwe-22.04  6.8.0-47.47.1~22.04.1  linux-image-lowlatency-hwe-22.04  6.8.0-47.47.1~22.04.1  linux-image-nvidia-6.8          6.8.0-1015.16~22.04.1  linux-image-nvidia-64k-6.8      6.8.0-1015.16~22.04.1  linux-image-oem-22.04           6.8.0-47.47~22.04.1  linux-image-oem-22.04a          6.8.0-47.47~22.04.1  linux-image-oem-22.04b          6.8.0-47.47~22.04.1  linux-image-oem-22.04c          6.8.0-47.47~22.04.1  linux-image-oem-22.04d          6.8.0-47.47~22.04.1  linux-image-oracle              6.8.0-1014.14~22.04.1  linux-image-oracle-64k          6.8.0-1014.14~22.04.1  linux-image-virtual-hwe-22.04   6.8.0-47.47~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7071-1  CVE-2024-45016Package Information:  https://launchpad.net/ubuntu/+source/linux/6.8.0-47.47  https://launchpad.net/ubuntu/+source/linux-aws/6.8.0-1017.18  https://launchpad.net/ubuntu/+source/linux-gcp/6.8.0-1016.18  https://launchpad.net/ubuntu/+source/linux-ibm/6.8.0-1014.14  https://launchpad.net/ubuntu/+source/linux-lowlatency/6.8.0-47.47.1  https://launchpad.net/ubuntu/+source/linux-nvidia/6.8.0-1015.16  https://launchpad.net/ubuntu/+source/linux-nvidia-lowlatency/6.8.0-1015.16.1  https://launchpad.net/ubuntu/+source/linux-oem-6.8/6.8.0-1014.14  https://launchpad.net/ubuntu/+source/linux-oracle/6.8.0-1014.14  https://launchpad.net/ubuntu/+source/linux-raspi/6.8.0-1013.14  https://launchpad.net/ubuntu/+source/linux-aws-6.8/6.8.0-1017.18~22.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-6.8/6.8.0-1016.18~22.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-6.8/6.8.0-47.47~22.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.8/6.8.0-47.47.1~22.04.1  https://launchpad.net/ubuntu/+source/linux-nvidia-6.8/6.8.0-1015.16~22.04.1  https://launchpad.net/ubuntu/+source/linux-oracle-6.8/6.8.0-1014.14~22.04.1

Ubuntu Security Notice USN-7071-1

Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023.
The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks,

Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023.

The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks, and government agencies in the United States and around the world, the U.S. Department of Justice (DoJ) said.

Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, have been charged with one count of conspiracy to damage protected computers. Ahmed Salah has also been charged with three counts of damaging protected computers.

If convicted on all charges, Ahmed Salah faces a statutory maximum sentence of life in federal prison, while Alaa Salah faces a maximum sentence of five years in federal prison. The DDoS tool is said to have been disabled in March 2024, the same month the pair were arrested from an unknown country.

"Anonymous Sudan sought to maximize havoc and destruction against governments and businesses around the world by perpetrating tens of thousands of cyberattacks," said U.S. attorney Martin Estrada.

"This group's attacks were callous and brazen—the defendants went so far as to attack hospitals providing emergency and urgent care to patients."

Anonymous Sudan, which is tracked by Microsoft under the name Storm-1359, emerged at the start of 2023, orchestrating a series of Swedish, Dutch, Australian, and German organizations. While it claimed to be a hacktivist group, the indictments show that it was just a front for what they really were, a digital mercenary crew.

"After initially joining a brief pro-Russian hacktivist campaign, Anonymous Sudan conducted a series of DDoS attacks with apparent religious and Sudanese nationalist motivations, including campaigns against Australian and Northern European entities," Crowdstrike said.

"The group was also a prominent participant in the annual #OpIsrael hacktivist campaign. Throughout these campaigns, Anonymous Sudan also demonstrated a willingness to collaborate with other hacktivist groups like KillNet, SiegedSec and Türk Hack Team."

Court documents allege that the Anonymous Sudan actors and their customers used the group's Distributed Cloud Attack Tool (DCAT) to conduct thousands of destructive DDoS attacks and publicly claim credit for them, causing more than $10 million in damages to U.S. victims alone.

According to Amazon Web Services (AWS), DDoS services were offered to prospective customers for $100 per day, $600 per week, and $1,700 per month. The service allegedly permitted up to 100 attacks each day.

The DCAT tool, marketed in the criminal underground as Godzilla, Skynet, and InfraShutdown, has been dismantled as part of a court-authorized seizure of its key components, including servers that were used to launch the DDoS attacks, servers that relayed attack commands to a broader network of attack computers, and accounts containing the source code for the DDoS tools used by the group.

"These law enforcement actions were taken as part of Operation PowerOFF, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling criminal DDoS-for-hire infrastructure worldwide, and holding accountable the administrators and users of these illegal services," the DoJ said.

The development comes as the Finnish Customs office (aka Tulli) disrupted the Sipulitie darknet marketplace — a successor to Sipulimarket that was taken down by law enforcement in 2020 – which specialized in the sale of drugs and had been operational on the dark web since 2023.

"The website in Finnish and English was used for criminal purposes, such as selling drugs under the cover of anonymity," Tulli said. "The website administrator has said on public forums that Sipulitie's turnover was 1.3 million euros."

Elsewhere, Brazil's Department of Federal Police (DPF) said it arrested a hacker in connection with a series of cyber attacks that breached its own systems and those belonging to other international institutions.

Codenamed Operation Data Breach, the effort saw the execution of a search and seizure warrant and a preventive arrest warrant against the defendant in the city of Belo Horizonte over allegations of leaking sensitive data associated with 80,000 members of InfraGard, a collaborative exercise between the U.S. government and critical infrastructure sectors.

The unnamed individual, who went by the names USDoD and EquationCorp, has also been accused of selling data from the Federal Police twice, on May 22, 2020 and February 22, 2022, as well as leaking data from Airbus and the U.S. Environmental Protection Agency (EPA).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Charges Two Sudanese Brothers for Record 35,000 DDoS Attacks

The US DoJ indicts two Sudanese nationals allegedly behind Anonymous Sudan for over 35,000 DDoS attacks targeting critical…

The US DoJ indicts two Sudanese nationals allegedly behind Anonymous Sudan for over 35,000 DDoS attacks targeting critical infrastructure, hospitals, and major tech firms. The FBI seized a powerful DDoS tool; victims include the DOJ, Microsoft, and Cedars-Sinai.

The United States Department of Justice (DoJ) has indicted two Sudanese nationals for their alleged role in operating the hacktivist group Anonymous Sudan. The group claimed fame for conducting “tens of thousands” of large-scale and crippling Distributed Denial of Service attacks (DDoS attacks) targeting critical infrastructure, corporate networks, and government agencies globally.

****The Alleged Masterminds Behind the Attacks****

Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, stand accused of conspiracy to damage protected computers. Ahmed Salah faces additional charges for damaging protected computers.

The duo is believed to have controlled Anonymous Sudan, which, since early 2023, launched attacks on high-profile entities such as ChatGPT, UAE’s Flydubai Airline, London Internet Exchange, Microsoft, and the Israeli BAZAN Group.

Anonymous Sudan taking responsibility for DDoS attacks on OpenAI’s ChatGPT (Screenshot credit: Hackrad.com)

The group and its clients also utilized the Distributed Cloud Attack Tool (DCAT) to conduct over 35,000 DDoS attacks. These attacks targeted sensitive government and critical infrastructure in the U.S. and globally, including the Department of Justice, Department of Defense, FBI, State Department, and Cedars-Sinai Medical Center in Los Angeles.

The attacks, which sometimes lasted days, reportedly caused major damage, often crippling websites and networks. For instance, the attack on Cedars-Sinai Medical Center forced the redirection of incoming patients for eight hours, causing over $10 million in damages to U.S. victims.

****FBI Seized Anonymous Sudan’s DDoS Tool****

For your information, DCAT refers to a type of malicious tool or framework that exploits cloud resources across multiple geographic locations to execute cyberattacks. These tools often take advantage of the scalability, distribution, and on-demand nature of cloud services to create strong attack infrastructures.

According to the DoJ’s press release, in March 2024, the U.S. Attorney’s Office and the FBI, acting on court-authorized seizure warrants, successfully disabled and seized Anonymous Sudan’s “powerful DDoS tool.” This tool, which the group allegedly used to execute attacks and sold as a service to other criminals, was the base of their operations.

The March 2024 operation, which disrupted the DCAT tool (also known as “Godzilla,” “Skynet,” and “InfraShutdown”), involved seizing key components, including servers that launched and controlled attacks and those that relayed commands. The warrants also covered accounts containing the source code for the DDoS tools.

“Anonymous Sudan sought to maximize havoc and destruction against governments and businesses around the world,” stated United States Attorney Martin Estrada. He emphasized the group’s callousness, noting attacks on hospitals providing emergency care. “We are committed to safeguarding our nation’s infrastructure and holding cybercriminals accountable,” he added.

****Operation PowerOFF****

These actions are part of Operation PowerOFF, an international effort to dismantle DDoS-for-hire infrastructures active since 2018. Private sector entities like Akamai SIRT, Amazon Web Services, Cloudflare, and Microsoft have played a key role in the takedown since.

In its latest blog post shared with Hackread.com, Akamai SIRT expressed gratitude to the FBI, DOJ, and the Big Pipes working group for their commitment to prioritizing DDoS investigations and disrupting these operations.

“Akamai would like to thank the members of the Federal Bureau of Investigation (FBI), the DOJ, and the Big Pipes working group for their commitment to prioritizing DDoS investigations, as well as their investment of time and energy into unravelling these operations and attempting to disrupt them,” the company said.

1.  Cyberattack on American Water Halts Billing
2.  Dark Web’s cybercrime group indicted after stealing $530M
3.  Technician Indicted for Hacking California Water Treatment Facility
4.  Russian Hacker Wanted for Cyberattacks on Ukraine, $10M Reward
5.  North Korean Hacker Charged for Ransomware Attacks on Hospitals

US Charges Duo Behind Anonymous Sudan for Over 35,000 DDoS Attacks

Ubuntu Security Notice 7069-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7069-1October 15, 2024linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-gcp,linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - x86 architecture;  - Cryptographic API;  - CPU frequency scaling framework;  - HW tracing;  - ISDN/mISDN subsystem;  - Media drivers;  - Network drivers;  - NVME drivers;  - S/390 drivers;  - SCSI drivers;  - USB subsystem;  - VFIO drivers;  - Watchdog drivers;  - JFS file system;  - IRQ subsystem;  - Core kernel;  - Memory management;  - Amateur Radio drivers;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - Network traffic control;  - TIPC protocol;  - XFRM subsystem;  - Integrity Measurement Architecture(IMA) framework;  - SoC Audio for Freescale CPUs drivers;  - USB sound devices;(CVE-2024-36971, CVE-2024-42271, CVE-2024-38630, CVE-2024-38602,CVE-2024-42223, CVE-2024-44940, CVE-2023-52528, CVE-2024-41097,CVE-2024-27051, CVE-2024-42157, CVE-2024-46673, CVE-2024-39494,CVE-2024-42089, CVE-2024-41073, CVE-2024-26810, CVE-2024-26960,CVE-2024-38611, CVE-2024-31076, CVE-2024-26754, CVE-2023-52510,CVE-2024-40941, CVE-2024-45016, CVE-2024-38627, CVE-2024-38621,CVE-2024-39487, CVE-2024-27436, CVE-2024-40901, CVE-2024-26812,CVE-2024-42244, CVE-2024-42229, CVE-2024-43858, CVE-2024-42280,CVE-2024-26641, CVE-2024-42284, CVE-2024-26602)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS  linux-image-4.15.0-1136-oracle  4.15.0-1136.147                                  Available with Ubuntu Pro  linux-image-4.15.0-1157-kvm     4.15.0-1157.162                                  Available with Ubuntu Pro  linux-image-4.15.0-1167-gcp     4.15.0-1167.184                                  Available with Ubuntu Pro  linux-image-4.15.0-1174-aws     4.15.0-1174.187                                  Available with Ubuntu Pro  linux-image-4.15.0-1182-azure   4.15.0-1182.197                                  Available with Ubuntu Pro  linux-image-4.15.0-230-generic  4.15.0-230.242                                  Available with Ubuntu Pro  linux-image-4.15.0-230-lowlatency  4.15.0-230.242                                  Available with Ubuntu Pro  linux-image-aws-lts-18.04       4.15.0.1174.172                                  Available with Ubuntu Pro  linux-image-azure-lts-18.04     4.15.0.1182.150                                  Available with Ubuntu Pro  linux-image-gcp-lts-18.04       4.15.0.1167.180                                  Available with Ubuntu Pro  linux-image-generic             4.15.0.230.214                                  Available with Ubuntu Pro  linux-image-kvm                 4.15.0.1157.148                                  Available with Ubuntu Pro  linux-image-lowlatency          4.15.0.230.214                                  Available with Ubuntu Pro  linux-image-oracle-lts-18.04    4.15.0.1136.141                                  Available with Ubuntu Pro  linux-image-virtual             4.15.0.230.214                                  Available with Ubuntu ProUbuntu 16.04 LTS  linux-image-4.15.0-1136-oracle  4.15.0-1136.147~16.04.1                                  Available with Ubuntu Pro  linux-image-4.15.0-1167-gcp     4.15.0-1167.184~16.04.2                                  Available with Ubuntu Pro  linux-image-4.15.0-1174-aws     4.15.0-1174.187~16.04.1                                  Available with Ubuntu Pro  linux-image-4.15.0-230-generic  4.15.0-230.242~16.04.1                                  Available with Ubuntu Pro  linux-image-4.15.0-230-lowlatency  4.15.0-230.242~16.04.1                                  Available with Ubuntu Pro  linux-image-aws-hwe             4.15.0.1174.187~16.04.1                                  Available with Ubuntu Pro  linux-image-gcp                 4.15.0.1167.184~16.04.2                                  Available with Ubuntu Pro  linux-image-generic-hwe-16.04   4.15.0.230.242~16.04.1                                  Available with Ubuntu Pro  linux-image-gke                 4.15.0.1167.184~16.04.2                                  Available with Ubuntu Pro  linux-image-lowlatency-hwe-16.04  4.15.0.230.242~16.04.1                                  Available with Ubuntu Pro  linux-image-oem                 4.15.0.230.242~16.04.1                                  Available with Ubuntu Pro  linux-image-oracle              4.15.0.1136.147~16.04.1                                  Available with Ubuntu Pro  linux-image-virtual-hwe-16.04   4.15.0.230.242~16.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7069-1  CVE-2023-52510, CVE-2023-52528, CVE-2024-26602, CVE-2024-26641,  CVE-2024-26754, CVE-2024-26810, CVE-2024-26812, CVE-2024-26960,  CVE-2024-27051, CVE-2024-27436, CVE-2024-31076, CVE-2024-36971,  CVE-2024-38602, CVE-2024-38611, CVE-2024-38621, CVE-2024-38627,  CVE-2024-38630, CVE-2024-39487, CVE-2024-39494, CVE-2024-40901,  CVE-2024-40941, CVE-2024-41073, CVE-2024-41097, CVE-2024-42089,  CVE-2024-42157, CVE-2024-42223, CVE-2024-42229, CVE-2024-42244,  CVE-2024-42271, CVE-2024-42280, CVE-2024-42284, CVE-2024-43858,  CVE-2024-44940, CVE-2024-45016, CVE-2024-46673

Tag

#amazon