A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS.…

A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS. This botnet, which utilizes Mirai botnet source code and advanced techniques, poses a growing and global threat.

NSFOCUS Global Threat Hunting System has detected a new cybersecurity threat: The Gorilla Botnet. In September 2024, this botnet launched a massive series of distributed denial-of-service attacks (DDoS attacks), targeting over 300,000 targets in over 100 countries.

According to NSFOCUS, a renowned Chinese company specializing in application security, Gorilla Botnet is inspired by the infamous **Mirai botnet** and has become a major concern due to its wide reach and stealth capabilities. Gorilla Botnetleverages a network of compromised IoT devices like an army to launch large-scale DDoS attacks. These attacks flood targeted systems with traffic, crippling their access to users.

What makes Gorilla Botnet particularly dangerous is its use of encryption to obscure key data, ensuring long-term control over compromised devices and supporting various CPU architectures, making it compatible with a wide range of devices.

Gorilla Botnet uses a distributed C&C network to manage its operations and offers a variety of DDoS attack methods, including UDP Flood, ACK Bypass Flood, and VSE Flood. Additionally, it utilizes connectionless protocols like UDP to spoof IP addresses and further hide its origin.  

****Global Reach and Impact****

Since September 2024, when its activity was first detected, Gorilla has wasted no time making its mark. In just a month, the botnet unleashed over 300,000 attack commands, averaging a whopping 20,000 per day.

This series of attacks targeted over 100 countries, including economic powerhouses like:

*   **China**
*   **Canada**
*   **Germany**
*   **United States**

Additionally, critical infrastructure including universities, government websites, telecoms, banks, and gaming platforms, fell victim to these attacks.  

****Advanced Capabilities****

According to NSFOCUS’s **report**, Gorilla Botnet’s sophistication goes beyond its attack methods. The malware incorporates encryption algorithms commonly **used** by the notorious **Keksec** hacking group, making it difficult to detect/analyze.

The botnet also shows a strong focus on persistence. By exploiting vulnerabilities like the Apache Hadoop YARN RPC flaw and installing services that automatically execute on system startup, Gorilla becomes a stubborn opponent to eradicate.   

Organizations should strengthen their cybersecurity to address the growing threat of the Gorilla Botnet. Firewalls help block suspicious traffic, while intrusion detection systems (IDS) can spot unusual activity and alert security teams. Using cloud-based **DDoS protection** can also help reduce high-volume attacks, minimizing downtime for critical systems.

1.  Goldoon Botnet Hit D-Link Devices by Exploiting 9-Year-Old Flaw
2.   Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
3.  Golang Botnet “Zergeca” Discovered, Delivers Brutal DDoS Attacks
4.  Mirai-like Botnet Hits Zyxel NAS Devices in Europe for DDoS Attacks
5.  US Charges Duo Behind Anonymous Sudan for 35,000 DDoS Attacks

Mirai-Inspired Gorilla Botnet Hits 0.3 Million Targets Across 100 Countries

Plus: The alleged SEC X account hacker gets charged, Kroger wriggles out of a face recognition scandal, and Microsoft deals with missing customer security logs.

In what may be a first, the US Department of Justice this week charged a hacker with attempting to cause injury and death by launching distributed denial-of-service (DDoS) attacks against hospitals. Ahmed Omer and his brother Alaa are accused of carrying out a cyberattack spree that targeted hundreds of victims under the hacktivist banner Anonymous Sudan. The group’s DDoS victims included Microsoft’s Azure cloud services, OpenAI’s ChatGPT, and Israel’s missile alert system, according to prosecutors. It was the brothers’ alleged attacks on hospitals, however, that drew the most serious accusations from the Justice Department, which singled out Ahmed for allegedly seeking to kill people with the crude cyberattacks that overwhelm systems, knocking them offline.

If someone told you there’s a tool that can—using only open source information—create a “cyber profile” of you that can locate your phone in real time or place you at the scene of a crime at any date in the past, would you believe them? Canadian firm Global Intelligence claims to have created such a tool, dubbed Cybercheck, which it has sold to police departments across the US. Cybercheck-generated reports have been used to help convict at least two people of murder. However, a WIRED investigation found that Cybercheck’s reports have produced information that is either inaccurate or impossible to verify. And open source experts say some of the information Cybercheck claims to include—such as a device’s pings to a specific wireless network—would be impossible to obtain from publicly available sources.

The scourge of nonconsensual deepfake images has continued to proliferate, including on Telegram, where millions of people used “nudify” bots to “remove the clothes” of anyone—usually women and girls. A WIRED investigation identified 50 such bots and 25 channels linked to the creation of these abusive AI-generated explicit images. Telegram removed all 75 channels and bots after WIRED reached out, but many of them will likely respawn.

The slow death of the password may have gotten a speed boost this week. The FIDO Alliance, a tech industry association, announced new efforts to help hasten the adoption of passkeys, the cryptographically generated codes that are already replacing less-secure passwords. These efforts include a new Credential Exchange Protocol, which makes it easier to migrate passkeys between platforms and devices, and Passkey Central, a resource for company IT departments that aims to make it easier for organizations to adopt passkeys.

A group of researchers revealed this week that they created an algorithm that generates a malicious prompt capable of instructing an AI chatbot to identify personal information fed into it by a user and secretly send it to an attacker.

Finally, we went back in time to explore how well the US Army’s “solider of tomorrow,” unveiled 65 years ago this week, predicted the future of US military tech.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

If you use uBlock Origin’s Chrome extension to filter out online ads, expect to get mildly annoyed in the near future. Google has begun implementing new Chrome extension standards, called Manifest V3, that will disable the legacy version of uBlock Origin’s extension that most users likely have installed. And while you might be thinking, “Google is a silverback gorilla of online advertising, of course they’re finally forcing me to see ads!” there is some good news. A new version of the ad-filtering extension that meets the Manifest V3 standards, uBlock Origin Lite, is now available. Then again, it won’t block as much as the previous iteration of uBlock. Still, as a Google spokesperson told The Verge, you have options: “The top content filtering extensions all have Manifest V3 versions available — with options for users of AdBlock, Adblock Plus, uBlock Origin and AdGuard.” Either way, you’ll need to install a new extension soon.

**Alabama Man Charged in Hack of the SEC’s X Account**

US authorities announced charges this week against a 25-year-old Alabama man accused of hacking the Security and Exchange Commission’s X account. Prosecutors claim Eric Council Jr. obtained personal information and the materials for a fake ID of a person who controlled the @SECGov account from unidentified coconspirators. Council allegedly used the fake ID to carry out a SIM-swapping attack, duping AT&T retail store staff into giving him a new SIM card, which he ultimately used to take control of the victim’s phone account. The coconspirators used that to gain access to the SEC’s X account, where they posted a fake announcement about Bitcoin’s regulatory status, which was followed by a price jump of $1,000 per bitcoin. Council stands charged of conspiracy to commit aggravated identity theft and access device fraud.

**Kroger Says It Won’t Use Facial Recognition in Its Grocery Stores**

The grocery store chain Kroger has never used facial-recognition technology broadly in its stores and has no current plans to, a spokesperson told Fast Company this week. The company has been facing a firestorm over its use of electronic shelving labels over concerns that ESLs could be used to impose surge pricing on popular items, and fears that the devices could also be deployed with facial recognition. The company did a single-store facial-recognition pilot of a technology called EDGE in 2019, but it did not move forward with the service. US lawmakers including Rashida Tlaib, Elizabeth Warren, and Robert Casey have publicly raised concerns about Kroger’s use of ESLs.

**Microsoft Is Missing More Than 2 Weeks of Cloud Customers’ Security Logs**

Microsoft told customers that it failed to capture more than two weeks of security logs from certain cloud services in September, including Microsoft Entra, Sentinel, Defender for Cloud, and Purview. News of the lost logs was first reported by Business Insider. The company said in the notification that “a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform.” The blank extends from September 2 to September 19. A Microsoft executive confirmed to TechCrunch that the incident was caused by an “operational bug within our internal monitoring agent.”

System activity logs are crucial for all sorts of operations and are particularly used for security monitoring and investigations, because they can expose breaches and malicious activity. After Russian hackers breached US government networks through SolarWinds software in 2020, many agencies couldn’t detect the activity in their Microsoft Azure cloud services because they weren’t paying for Microsoft’s premium tier features, so they didn’t have adequate network activity logs. Lawmakers were outraged about the up-charge, and the Biden administration worked for more than two years to get Microsoft to make the logging services free. The company ultimately announced the change in July 2023.

Google Chrome’s uBlock Origin Purge Has Begun

Days after facing a major breach, the site is still struggling to get fully back on its feet.

Source: Postmodern Studio via Alamy Stock Photo

The Internet Archive, a nonprofit digital library website, is beginning to come back online after a data breach and distributed denial-of-service (DDoS) attacks, prompting a week of its systems going offline.

Founded in 1996 by Brewster Kahle, the archive offers users free access to a historical Web collection, known as the Wayback Machine. This including access to more than 150 billion webpages, nearly 250,000 movies, 500,000 audio items, and more.

This free access to these seemingly unlimited resources all came to a halt on Oct. 9, when hackers stole and leaked the account information of a reported 31 million users. 

The users were met with a pop-up that read, "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!"

HIBP is the "Have I Been Pwned" site that allows users to look up whether their personal information has been compromised in a data breach.

The Internet Archive site went offline in an effort to try to prevent such attacks from continuing to happen. Founder Brewster Kahle reported on social platform X that this process would take days, if not weeks.

"The @internetarchive's Wayback Machine resumed in a provisional, read-only manner. .... Please be gentle."

And in an update yesterday, he reported that Wayback Machine is running strong, though the team is still working to bring Internet Archive items and other services online safely.

**DDoS Mania**

Netscout, which has conducted analyses on the breach, reported that its researchers observed 24 DDoS attacks against the Autonomous System Number (ASN) 7941, the ASN used by the Internet Archive project. The first attack lasted more than three hours, and during the attack, three IP addresses used by Internet Archive received DDoS attack traffic.

"These kinds of attacks energize adversaries, and they often attempt to replicate the feat," the Netscout researchers reported. 

Bruno Kurtic, co-founder, president, and CEO of Bedrock Security, notes that perhaps these kind of breaches are inevitable.

"Perimeters will be breached, vulnerabilities will be exploited … attackers will eventually be at the front door of your data stores," he says. "For most enterprises, the first and fundamental gap is not knowing where their data is. Data is fluid, it moves, it sprawls, and it is created at an exponential rate."

To protect that data, Kurtic advises "proactive policy management," as well as detection of movement, encryption, and hashing.

"Monitoring access and continuously scanning to update classifications at hundreds-of-petabytes scale is hard but essential," he adds.

Internet Archive Slowly Revives After DDoS Barrage

US officials disrupted the group's DDoS operation and arrested two individuals behind it, who turned out to be far less intimidating than they were made out to be in the media.

Source: Firoze Edassery via Alamy Stock Photo

A federal grand jury has indicted two Sudanese nationals for their role in operating and controlling one of the most notorious hacktivist groups of recent years.

US officials allege that Ahmed Salah Yousif Omer — just 22 years old — and his brother Alaa Salah Yusuuf Omer, 27, were behind Anonymous Sudan (aka Storm-1359), a threat actor responsible for more than 35,000 distributed denial of service (DDoS) attacks worldwide since early 2023. In the US alone, it has clogged up websites belonging to major technology companies like Microsoft and Riot Games, the Cedars-Sinai Medical Center in Los Angeles — an event which caused an eight-hour disruption to patient care — and major government agencies like the FBI, State Department, Department of Defense, and Department of Justice (DoJ). It's believed that these attacks have caused at least $10 million in damages.

For their roles in "operating and controlling" Anonymous Sudan, Ahmed and Alaa were each charged with one count of conspiracy to damage protected computers. Ahmed also earned three counts for damaging protected computers.

The elder brother faces a maximum sentence of five years in federal prison, should he be found guilty. The younger: life behind bars.

"It's easy to be anonymous, and to hide yourself for a short period of time when visibility is limited," says Adam Meyers, head of counter adversary operations with CrowdStrike, which contributed to the DoJ investigation. "But the longer that things go on, the more that you do, the harder it is to keep up that facade."

**The Latest in Operation PowerOFF**

For years now, law enforcement authorities from the United States, United Kingdom, Germany, Poland, and the Netherlands have been collaborating as part of "Operation PowerOFF," to shutter DDoS-for-hire operations worldwide. PowerOFF has earned some high-profile successes since, including the arrests of the admins behind Webstresser — then the world's leading DDoS marketplace — back in 2018, a successful shutdown of 50 DDoS-for-hire platforms late in 2022, and another wave of "booter site" takedowns the following year. Then, early this year, authorities turned their sights on Anonymous Sudan.

Hacktivist groups, by their nature, are typically louder and easier to read than groups which put more emphasis on stealth and subtlety. "These guys were operating openly on Telegram. They were recruiting. They were talking about what they were up to. They were involved in things like #OpIsrael, and collaborating with groups like KillNet on some pro-Russia attacks. So they weren't hiding in the shadows," Meyers says.

Beyond that, he adds, "They did have some of what we would call OpSec issues, where they thought that they were being a little bit more discreet than they actually were."

With help from the Big Pipes working group — a PowerOFF collaboration between law enforcement and private sector partners — authorities identified assets belonging to Anonymous Sudan, and insights into the brothers at the top of the pyramid. Then in March, US authorities obtained court-authorized warrants to seize the tooling and infrastructure belonging to Anonymous Sudan. The FBI shut up key components of the group's sophisticated Distributed Cloud Attack Tool (DCAT) (aka Skynet, Godzilla, InfraShutdown), including the computer servers used to launch its attacks, those used to relay attack commands to its broader network of connected computers, and online accounts containing the group's source code.

**Not-So-Anonymous Sudan**

During its approximately year-long reign of terror, Anonymous Sudan had been connected with and attributed to a variety of different groups and interests. Some researchers suggested that it was merely a front for the Russian hacktivist collective KillNet. Others went further, suggesting that the group is backed by the Russian state.

"That was a misconception that many folks believed and parroted, with little supporting evidence," explains Chad Seaman, principal security researcher and team lead at Akamai SIRT, which also participates in PowerOFF through the Big Pipes working group. "Mostly this theory seemed to be rooted in their affiliation with KillNet, which as disclosed in the indictment details, seems to be more \[borne of\] an anti-west ideological alignment, and kind of turned into a marketing decision, in part aimed at driving business to their booter services they were selling at the time, due to KillNet's notoriety at the time."

There were some understandable reasons behind those connections: the scale of the operation, its sophistication, its apparent motives, etc. "Take into account their seemingly oddly aligned support of Russian hacktivist groups, being a new group that seemingly sprung up overnight, their ability to launch debilitating attacks, and an assumption that their operations were being paid for to the tune of hundreds of thousands of dollars a month in compute expenses, it's an easy theory to rationalize," he says.

However, he adds, "Attribution is often hard and messy work, and short of very compelling evidence to support such claims, it should always be eyed with a bit of suspicion until proof is provided. This isn't the first time, and it won't be the last, that we've seen theorized attribution fall victim to reality when more pieces of the puzzle fall into place."  

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Anonymous Sudan Unmasked as Leaders Face Life in Prison

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the brothers is facing life in prison for allegedly seeking to kill people with his attacks.

The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running **Anonymous Sudan** (a.k.a. **AnonSudan**), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life in prison for allegedly seeking to kill people with his attacks.

Image: FBI

Active since at least January 2023, AnonSudan has been described in media reports as a “hacktivist” group motivated by ideological causes. But in a criminal complaint, the FBI said those high-profile cyberattacks were effectively commercials for the hackers’ DDoS-for-hire service, which they sold to paying customers for as little as $150 a day — with up to 100 attacks allowed per day — or $700 for an entire week.

The complaint says despite reports suggesting Anonymous Sudan might be state-sponsored Russian actors pretending to be Sudanese hackers with Islamist motivations, AnonSudan was led by two brothers in Sudan — **Ahmed Salah Yousif** **Omer**, 22, and **Alaa Salah Yusuuf Omer**, 27.

AnonSudan claimed credit for successful DDoS attacks on numerous U.S. companies, causing a multi-day outage for Microsoft’s cloud services in June 2023. The group hit **PayPal** the following month, followed by **Twitter/X** (Aug. 2023), and **OpenAI** (Nov. 2023). An indictment in the Central District of California notes the duo even swamped the websites of the **FBI** and the **Department of State**.

Prosecutors say Anonymous Sudan offered a “Limited Internet Shutdown Package,” which would enable customers to shut down internet service providers in specified countries for $500 (USD) an hour. The two men also allegedly extorted some of their victims for money in exchange for calling off DDoS attacks.

The government isn’t saying where the Omer brothers are being held, only that they were arrested in March 2024 and have been in custody since. A statement by the **U.S. Department of Justice** says the government also seized control of AnonSudan’s DDoS infrastructure and servers after the two were arrested in March.

AnonSudan accepted orders over the instant messaging service **Telegram**, and marketed its DDoS service by several names, including “**Skynet**,” “**InfraShutdown**,” and the “**Godzilla botnet**.” However, the DDoS machine the Omer brothers allegedly built was not made up of hacked devices — as is typical with DDoS botnets.

Instead, the government alleges Skynet was more like a “distributed cloud attack tool,” with a command and control (C2) server, and an entire fleet of cloud-based servers that forwards C2 instructions to an array of open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack data to the victims.

**Amazon** was among many companies credited with helping the government in the investigation, and said AnonSudan launched its attacks by finding hosting companies that would rent them small armies of servers.

“Where their potential impact becomes really significant is when they then acquire access to thousands of other machines — typically misconfigured web servers — through which almost anyone can funnel attack traffic,” Amazon explained in a blog post. “This extra layer of machines usually hides the true source of an attack from the targets.”

The security firm **CrowdStrike** said the success of AnonSudan’s DDoS attacks stemmed from a combination of factors, including sophisticated techniques for bypassing DDoS mitigation services. Also, AnonSudan typically launched so-called “Layer 7” attacks that sought to overwhelm targeted “API endpoints” — the back end systems responsible for handling website requests — with bogus requests for data, leaving the target unable to serve legitimate visitors.

The Omer brothers were both charged with one count of conspiracy to damage protected computers. The younger brother — Ahmed Salah — was also charged with three counts of damaging protected computers.

A passport for Ahmed Salah Yousif Omer. Image: FBI.

If extradited to the United States, tried and convicted in a court of law, the older brother Alaa Salah would be facing a maximum of five years in prison. But prosecutors say Ahmed Salah could face life in prison for allegedly launching attacks that sought to kill people.

As Hamas fighters broke through the border fence and attacked Israel on Oct. 7, 2023, a wave of rockets was launched into Israel. At the same time, AnonSudan announced it was attacking the APIs that power Israel’s widely-used “red alert” mobile apps that warn residents about any incoming rocket attacks in their area.

In February 2024, AnonSudan launched a digital assault on the **Cedars-Sinai Hospital** in the Los Angeles area, an attack that caused emergency services and patients to be temporarily redirected to different hospitals.

The complaint alleges that in September 2023, AnonSudan began a week-long DDoS attack against the Internet infrastructure of Kenya, knocking offline government services, banks, universities and at least seven hospitals.

Sudanese Brothers Arrested in ‘AnonSudan’ Takedown

Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023.
The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks,

Federal prosecutors in the U.S. have charged two Sudanese brothers with running a distributed denial-of-service (DDoS) botnet for hire that conducted a record 35,000 DDoS attacks in a single year, including those that targeted Microsoft's services in June 2023.

The attacks, which were facilitated by Anonymous Sudan's "powerful DDoS tool," singled out critical infrastructure, corporate networks, and government agencies in the United States and around the world, the U.S. Department of Justice (DoJ) said.

Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, have been charged with one count of conspiracy to damage protected computers. Ahmed Salah has also been charged with three counts of damaging protected computers.

If convicted on all charges, Ahmed Salah faces a statutory maximum sentence of life in federal prison, while Alaa Salah faces a maximum sentence of five years in federal prison. The DDoS tool is said to have been disabled in March 2024, the same month the pair were arrested from an unknown country.

"Anonymous Sudan sought to maximize havoc and destruction against governments and businesses around the world by perpetrating tens of thousands of cyberattacks," said U.S. attorney Martin Estrada.

"This group's attacks were callous and brazen—the defendants went so far as to attack hospitals providing emergency and urgent care to patients."

Anonymous Sudan, which is tracked by Microsoft under the name Storm-1359, emerged at the start of 2023, orchestrating a series of Swedish, Dutch, Australian, and German organizations. While it claimed to be a hacktivist group, the indictments show that it was just a front for what they really were, a digital mercenary crew.

"After initially joining a brief pro-Russian hacktivist campaign, Anonymous Sudan conducted a series of DDoS attacks with apparent religious and Sudanese nationalist motivations, including campaigns against Australian and Northern European entities," Crowdstrike said.

"The group was also a prominent participant in the annual #OpIsrael hacktivist campaign. Throughout these campaigns, Anonymous Sudan also demonstrated a willingness to collaborate with other hacktivist groups like KillNet, SiegedSec and Türk Hack Team."

Court documents allege that the Anonymous Sudan actors and their customers used the group's Distributed Cloud Attack Tool (DCAT) to conduct thousands of destructive DDoS attacks and publicly claim credit for them, causing more than $10 million in damages to U.S. victims alone.

According to Amazon Web Services (AWS), DDoS services were offered to prospective customers for $100 per day, $600 per week, and $1,700 per month. The service allegedly permitted up to 100 attacks each day.

The DCAT tool, marketed in the criminal underground as Godzilla, Skynet, and InfraShutdown, has been dismantled as part of a court-authorized seizure of its key components, including servers that were used to launch the DDoS attacks, servers that relayed attack commands to a broader network of attack computers, and accounts containing the source code for the DDoS tools used by the group.

"These law enforcement actions were taken as part of Operation PowerOFF, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling criminal DDoS-for-hire infrastructure worldwide, and holding accountable the administrators and users of these illegal services," the DoJ said.

The development comes as the Finnish Customs office (aka Tulli) disrupted the Sipulitie darknet marketplace — a successor to Sipulimarket that was taken down by law enforcement in 2020 – which specialized in the sale of drugs and had been operational on the dark web since 2023.

"The website in Finnish and English was used for criminal purposes, such as selling drugs under the cover of anonymity," Tulli said. "The website administrator has said on public forums that Sipulitie's turnover was 1.3 million euros."

Elsewhere, Brazil's Department of Federal Police (DPF) said it arrested a hacker in connection with a series of cyber attacks that breached its own systems and those belonging to other international institutions.

Codenamed Operation Data Breach, the effort saw the execution of a search and seizure warrant and a preventive arrest warrant against the defendant in the city of Belo Horizonte over allegations of leaking sensitive data associated with 80,000 members of InfraGard, a collaborative exercise between the U.S. government and critical infrastructure sectors.

The unnamed individual, who went by the names USDoD and EquationCorp, has also been accused of selling data from the Federal Police twice, on May 22, 2020 and February 22, 2022, as well as leaking data from Airbus and the U.S. Environmental Protection Agency (EPA).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Charges Two Sudanese Brothers for Record 35,000 DDoS Attacks

The US DoJ indicts two Sudanese nationals allegedly behind Anonymous Sudan for over 35,000 DDoS attacks targeting critical…

The US DoJ indicts two Sudanese nationals allegedly behind Anonymous Sudan for over 35,000 DDoS attacks targeting critical infrastructure, hospitals, and major tech firms. The FBI seized a powerful DDoS tool; victims include the DOJ, Microsoft, and Cedars-Sinai.

The United States Department of Justice (DoJ) has indicted two Sudanese nationals for their alleged role in operating the hacktivist group Anonymous Sudan. The group claimed fame for conducting “tens of thousands” of large-scale and crippling Distributed Denial of Service attacks (DDoS attacks) targeting critical infrastructure, corporate networks, and government agencies globally.

****The Alleged Masterminds Behind the Attacks****

Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, stand accused of conspiracy to damage protected computers. Ahmed Salah faces additional charges for damaging protected computers.

The duo is believed to have controlled Anonymous Sudan, which, since early 2023, launched attacks on high-profile entities such as ChatGPT, UAE’s Flydubai Airline, London Internet Exchange, Microsoft, and the Israeli BAZAN Group.

Anonymous Sudan taking responsibility for DDoS attacks on OpenAI’s ChatGPT (Screenshot credit: Hackrad.com)

The group and its clients also utilized the Distributed Cloud Attack Tool (DCAT) to conduct over 35,000 DDoS attacks. These attacks targeted sensitive government and critical infrastructure in the U.S. and globally, including the Department of Justice, Department of Defense, FBI, State Department, and Cedars-Sinai Medical Center in Los Angeles.

The attacks, which sometimes lasted days, reportedly caused major damage, often crippling websites and networks. For instance, the attack on Cedars-Sinai Medical Center forced the redirection of incoming patients for eight hours, causing over $10 million in damages to U.S. victims.

****FBI Seized Anonymous Sudan’s DDoS Tool****

For your information, DCAT refers to a type of malicious tool or framework that exploits cloud resources across multiple geographic locations to execute cyberattacks. These tools often take advantage of the scalability, distribution, and on-demand nature of cloud services to create strong attack infrastructures.

According to the DoJ’s press release, in March 2024, the U.S. Attorney’s Office and the FBI, acting on court-authorized seizure warrants, successfully disabled and seized Anonymous Sudan’s “powerful DDoS tool.” This tool, which the group allegedly used to execute attacks and sold as a service to other criminals, was the base of their operations.

The March 2024 operation, which disrupted the DCAT tool (also known as “Godzilla,” “Skynet,” and “InfraShutdown”), involved seizing key components, including servers that launched and controlled attacks and those that relayed commands. The warrants also covered accounts containing the source code for the DDoS tools.

“Anonymous Sudan sought to maximize havoc and destruction against governments and businesses around the world,” stated United States Attorney Martin Estrada. He emphasized the group’s callousness, noting attacks on hospitals providing emergency care. “We are committed to safeguarding our nation’s infrastructure and holding cybercriminals accountable,” he added.

****Operation PowerOFF****

These actions are part of Operation PowerOFF, an international effort to dismantle DDoS-for-hire infrastructures active since 2018. Private sector entities like Akamai SIRT, Amazon Web Services, Cloudflare, and Microsoft have played a key role in the takedown since.

In its latest blog post shared with Hackread.com, Akamai SIRT expressed gratitude to the FBI, DOJ, and the Big Pipes working group for their commitment to prioritizing DDoS investigations and disrupting these operations.

“Akamai would like to thank the members of the Federal Bureau of Investigation (FBI), the DOJ, and the Big Pipes working group for their commitment to prioritizing DDoS investigations, as well as their investment of time and energy into unravelling these operations and attempting to disrupt them,” the company said.

1.  Cyberattack on American Water Halts Billing
2.  Dark Web’s cybercrime group indicted after stealing $530M
3.  Technician Indicted for Hacking California Water Treatment Facility
4.  Russian Hacker Wanted for Cyberattacks on Ukraine, $10M Reward
5.  North Korean Hacker Charged for Ransomware Attacks on Hospitals

US Charges Duo Behind Anonymous Sudan for Over 35,000 DDoS Attacks

The US has accused two brothers of being part of the hacker group Anonymous Sudan, which allegedly went on a wild cyberattack spree that hit hundreds of targets—and, for one of the two men, even put lives at risk.

For hackers seeking to maximize chaos, so-called denial-of-service attacks that knock targets offline with waves off junk traffic are typically more of a blunt cudgel than a weapon of mass destruction. But according to the US Department of Justice, a pair of Sudanese brothers allegedly behind the hacktivist group Anonymous Sudan launched a spree of those crude cyberattacks that was both powerful and cruel enough in its choice of victims—extending to dozens of hospitals in multiple countries, Israel’s missile alert system, and hundreds of other digital services—that one of them is now being charged not only with criminal hacking but also with the rare added allegation of seeking to cause physical injury and death.

On Wednesday the DOJ unsealed charges against brothers Ahmed and Alaa Omer, who allegedly launched a punishing bombardment of more than 35,000 distributed denial-of-service, or DDoS, attacks against hundreds of organizations, taking down websites and other networked systems as part of both their own ideologically motivated hacktivism, as a means of extortion, or on behalf of clients of a cyberattack-for-hire service they ran for profit. According to US prosecutors and the FBI, their victims included Microsoft's Azure cloud services, OpenAI's ChatGPT, video game and media companies, airports, and even the Pentagon, the FBI, and the Department of Justice itself.

In image of Ahmed Omer’s passport released by the FBI.

“We declare cyber war on the United States,” Ahmed Omer posted in a message to Anonymous Sudan's Telegram channel in April of last year, according to the indictment. "The United States will be our primary target.”

Anonymous Sudan also targeted hospitals in the US, Denmark, Sweden, and India. In at least one case in February, prosecutors say, the attacks on Cedars-Sinai Health Systems in Los Angeles caused hours of downtime for health care services that diverted patients to other hospitals. In that Los Angeles incident, the Justice Department claims that one of the two hackers explicitly sought to cause potentially deadly harm.

“Bomb our hospitals in Gaza, we shut down yours too, eye for eye,” Ahmed Omer allegedly wrote on Telegram in the midst of the attack. As a result of those hospital attacks, prosecutors are bringing charges against Ahmed Ohmer that carry a potential life sentence, which prosecutors describe as the most severe criminal charges ever brought against a hacker accused of denial-of-service attacks.

In earlier cases, US authorities claim, the hackers used cyberattacks to disrupt Israel's Tzeva Adom or “Code Red” missile alert app, tearing the system offline in the midst of deadly rocket attacks by Hamas, including during Hamas's attacks on October 7th of last year.

An Anonymous Sudan image included in the FBI’s complaint against the Omer brothers.

“The actions taken by this group were callous and brazen,” Martin Estrada, a US attorney for the Central District of California and lead prosecutor in the case, told reporters in a conference call. “This group was motivated by their extremist ideology, essentially a Sudanese nationalist ideology.”

Despite publicizing its charges against the two men, Estrada declined to make clear the whereabouts of the two alleged hackers—though he noted that they are in custody. An FBI affidavit accompanying the indictment states that an FBI agent, Elliott Peterson, interviewed both of the Omer brothers and that Ahmed Omer admitted to being an Anonymous Sudan administrator.

Law enforcement agencies also appear to have carried out an operation to take down Anonymous Sudan's infrastructure in March of this year, which prevented the group from carrying out further attacks. The Telegram channel where the group boasted of its targeting and advertised its for-profit attack service went entirely silent around that time and has since ceased to exist. “Anonymous Sudan in name and in operation is effectively dead,” says Chad Seaman, a principal security researcher for tech firm Akamai and a member of Big Pipes, a working group focused on DDoS that closely tracked the group and collaborated with law enforcement in its investigation.

From mid-2023 until that takedown, Anonymous Sudan distinguished itself among self-proclaimed hacktivists with a series of shockingly large and high-profile DDoS attacks. In June of last year, for instance, it pummeled Microsoft's Azure cloud services for days, knocking it intermittently offline and demanding a million-dollar ransom to stop. It also repeatedly took down OpenAI's ChatGPT in December and wrote on Telegram that it was targeting the company due to the pro-Israeli posts of one of its employees.

Anonymous Sudan has at times, in fact, appeared to have formal or informal ties to anti-Israel forces: According to prosecutors, it launched disruptive cyberattacks that targeted Israel's Tzeva Adom missile alert system on October 7, 2023, in the midst of attacks by the militant wing of Hamas that killed nearly 1,200 Israelis. As Israel's ensuing bombardment and invasion of the Gaza strip killed tens of thousands of Palestinian civilians over the months that followed, Anonymous Sudan frequently described the motivation for its attacks in its Telegram posts as the defense of Palestinians.

In December of 2023, for instance, Anonymous Sudan took OpenAI's ChatGPT offline with a sustained series of DDoS attacks in response to the company's executive Tal Broda vocally supporting the Israel Defense Forces’ missile attacks in Gaza. “More! No mercy! IDF don't stop!” Broda had written on X over a photo of a devastated urban landscape in Gaza, and in another post denied the existence of Palestine.

“We will continue targeting ChatGPT until the genocide supporter, Tal Broda, is fired and ChatGPT stops having dehumanizing views of Palestinians," Anonymous Sudan responded in a Telegram post explaining its attacks on OpenAI.

Still, Anonymous Sudan's true goals haven't always seemed entirely ideological, Akamai's Seaman says. The group has also offered to sell access to its DDoS infrastructure to other hackers: Telegram posts from the group as recently as March offered the use of its DDoS service, known as Godzilla or Skynet, for $2,500 a month. That suggests that even its attacks that appeared to be politically motivated may have been intended, at least in part, as marketing for its moneymaking side, Seaman argues.

“They seem to have thought, ‘We can get involved, really put a hurting on people, and market this service at the same time,’” Seaman says. He notes that, in the group's anti-Israel, pro-Palestine focus following the October 7 attacks, “there’s definitely an ideological thread in there. But the way it weaved through the different victims is something that maybe only the perpetrators of the attack fully understand.”

At times, Anonymous Sudan also hit Ukrainian targets, seemingly partnering with pro-Russian hacker groups like Killnet. That led some in the cybersecurity community to suspect that Anonymous Sudan was, in fact, a Russia-linked operation using its Sudanese identity as a front, given Russia's history of using hacktivism as false flag. The charges against Ahmed and Alaa Omer suggest that the group was, instead, authentically Sudanese in origin. But aside from its name, the group doesn't appear to have any clear ties to the original Anonymous hacker collective, which has been largely inactive for the last decade.

Aside from its targeting and politics, the group has distinguished itself through a relatively novel and effective technical approach, Akamai's Seaman says: Its DDoS service was built by gaining access to hundreds or possibly even thousands of virtual private servers—often-powerful machines offered by cloud services companies—by renting them with fraudulent credentials. It then used those machines to launch so-called layer 7 attacks, overwhelming web servers with requests for websites, rather than the lower-level floods of raw internet data requests that DDoS hackers have tended to use in the past. Anonymous Sudan and the customers of its DDoS services would then target victims with vast numbers of those layer 7 requests in parallel, sometimes using techniques called “multiplexing” or “pipelining” to simultaneously create multiple bandwidth demands on servers until they dropped offline.

For at least nine months, the group's technical power and brazen, unpredictable targeting made it a top concern for the anti-DDoS community, Seaman says—and for its many victims. “There was a lot of uncertainty about this group, what they were capable of, what their motivations were, why they targeted people,” says Seaman. “When Anonymous Sudan went away, there was a spike in curiosity and definitely a sigh of relief.”

The Justice Department's decision to level a criminal charge against Ahmed Omer that could lead to a life sentence for a denial-of-service attack may seem haphazard, given that state-sponsored cyberattacks and ransomware have often caused far more serious damage to health care networks, says Josh Corman, a researcher at the Institute for Security and Technology who has long focused on health care-targeted hacking. Corman says he's nonetheless encouraged to see prosecutors recognize that even crude cyberattacks can have serious—and even lethal—effects on victims.

“Yes, denial-of-service attacks can degrade and deny patent care to cause loss of life,” says Corman. “While this is the first, and it may seem arbitrary until we get more details, it could be heartening to see that we understand the outsize consequences of these attacks.”

_Updated 5 pm ET, October 16, 2024: While Anonymous Sudan is accused of launching thousands of attacks, the number of targets was in the hundreds. We've updated the story to clarify that distinction._

Hacker Charged With Seeking to Kill Using Cyberattacks on Hospitals

Hey there, it's your weekly dose of "what the heck is going on in cybersecurity land" – and trust me, you NEED to be in the loop this time. We've got everything from zero-day exploits and AI gone rogue to the FBI playing crypto kingpin – it's full of stuff they don't 🤫 want you to know.
So let's jump in before we get FOMO.
⚡ Threat of the Week
GoldenJackal Hacks Air-Gapped Systems: Meet

Hey there, it's your weekly dose of "_what the heck is going on in cybersecurity land_" – and trust me, you NEED to be in the loop this time. We've got everything from zero-day exploits and AI gone rogue to the FBI playing crypto kingpin – it's full of stuff they don't 🤫 want you to know.

So let's jump in before we get FOMO.

****⚡ Threat of the Week****

**GoldenJackal Hacks Air-Gapped Systems:** Meet GoldenJackal, the hacking crew you've probably never heard of – but should definitely know about now. They're busting into super-secure, air-gapped computer systems with sneaky worms spread through infected USB drives (yes, really!), proving that even the most isolated networks aren't safe. ESET researchers caught them red-handed using two different custom-made tools to target high-profile victims, including a South Asian embassy in Belarus and a European Union government organization.

****🔔 Top News****

*   **Mozilla Patches Firefox 0-Day:** Mozilla patched a critical zero-day flaw in its Firefox browser that it said has been actively exploited in the wild to target Tor browser users. While there are currently no details on the attacks, users are advised to update to Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1.
*   **Contagious Interview Remains Lucrative for N. Korea:** Ever since details about a North Korean hacking campaign called Contagious Interview came to light nearly a year ago, it has continued to target the technology sector with no signs of stopping anytime soon. These attacks aim to deliver backdoors and information-stealing malware by deceiving developers into executing malicious code under the pretext of a coding assignment as part of a job interview after approaching them on platforms like LinkedIn.
*   **OpenAI Disrupts Malicious Operations:** OpenAI said it has disrupted over 20 malicious cyber operations since the start of the year that abused its generative artificial intelligence (AI) chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and vulnerability research. One of the activity clusters was observed targeting OpenAI employees via spear-phishing attacks to deploy the SugarGh0st RAT.
*   **FBI Creates Fake Crypto to Disrupt Fraudulent Operation:** The U.S. Federal Bureau of Investigation (FBI) took the "unprecedented step" of creating its own cryptocurrency token and a company called NexFundAI to take down a fraud operation that allegedly manipulated digital asset markets by orchestrating an illegal scheme known as wash trading. A total of 18 people and entities have been charged in connection with the pump-and-dump scam, with three arrests reported so far.
*   **Gorilla Botnet Launches 300,000 DDoS Attacks Across 100 Countries:** A botnet malware family called Gorilla issued over 300,000 attack commands in the month of September 2024 alone, targeting universities, government websites, telecoms, banks, gaming, and gambling sectors. China, the U.S., Canada, and Germany. The botnet is based on the leaked Mirai botnet source code.

****📰 Around the Cyber World****

*   **Microsoft Announces Windows 11 Security Baseline:** Microsoft has released the Windows 11, version 24H2 security baseline with added protections to LAN Manager, Kerberos, User Account Control, and Microsoft Defender Antivirus. It also includes Windows Protected Print (WPP), which the company described as the "new, modern and more secure print for Windows built from the ground up with security in mind." In a related development, the tech giant announced a redesigned Windows Hello experience and API support for third-party passkey providers like 1Password and Bitwarden to plug into the Windows 11 platform.
*   **Apple macOS iPhone Mirroring is Broken:** Apple announced a new iPhone mirroring feature with macOS 15.0 Sequoia, but cybersecurity firm Sevco has uncovered a privacy risk that could expose metadata associated with apps on an employee's personal iPhone to their corporate IT department. The issue stems from the fact that the iOS apps mirrored to the Mac populate the same application metadata as native macOS applications, thereby leaking information about the apps that may be installed on their phones. Apple has acknowledged the problem and is said to be working on a fix.
*   **Social Engineering Via Phone Calls:** Threat actors have found an effective social engineering vector in phone calls in order to trick users into performing an unintended action, a technique also called telephone-oriented attack delivery (TOAD), callback phishing, and hybrid vishing (a combination of voice and phishing). Intel 471 said it has observed a "sharp increase in underground offers for illicit call center services that can aid in malware delivery, ransomware-related calls, and other fraud-oriented social-engineering attempts."
*   **Malicious Extensions Can Bypass Manifest V3:** Google has said Manifest V3, its latest version of the extensions platform, avoids the security loopholes of its predecessor, which allowed browser add-ons to have excessive permissions and inject arbitrary JavaScript. However, new research has found that it's still possible for malicious actors to exploit minimal permissions and steal data. The findings were presented by SquareX at the DEF CON conference back in August. The research also coincides with a study that discovered "hundreds of extensions automatically extracting user content from within web pages, impacting millions of users."
*   **What can a USB reveal?:** A new analysis from Group-IB goes into detail about the artifacts generated in the USB device when files are accessed or modified on devices running various operating systems. "USB formatted with NTFS, FAT32, and ExFAT often create temporary files, particularly during file modifications," the company said. "USB formatted with NTFS on Windows provided more information on file system changes from the $Logfile due to its journaling capabilities." USB formatted with HFS+ has been found to store versions of files that have been edited with GUI tools in a versioning database. Likewise, USB formatted with FAT32/ExFAT on macOS generates ". \_filename" files to ensure file system compatibility for storing extended attributes.

**🔥 **Cybersecurity Resources & Insights****

*   **Expert Webinars**
    *   **Building a Successful Data Security Posture Management Program**: Drowning in data security headaches? Hear directly from Global-e's CISO how Data Security Posture Management (DSPM) transformed their data security. Get real-world insights, and practical advice, get your questions answered and actionable strategies in this exclusive webinar, and walk away with a clear roadmap. Reserve your seat today!
    *   **Ex-Mandiant Expert Exposes Identity Theft Tactics**: LUCR-3 is breaching organizations like yours through identity-based attacks. Learn how to protect your cloud and SaaS environments from this advanced threat. Cybersecurity expert Ian Ahl (former Mandiant) reveals the latest tactics and how to defend your organization. Register for this crucial webinar to gain the upper hand.
*   **Ask the Expert**
    *   **Q: With mobile devices increasingly targeted by cybercriminals, how can individuals protect their devices from network-based attacks, especially in unfamiliar or high-risk environments, such as when traveling?**
    *   **A:** When you're traveling, your mobile device can be a target for attacks like rogue base stations—fake cell towers set up to steal data or track your location. To protect yourself, start by enabling Lockdown Mode on iPhones, which blocks vulnerable 2G connections. Always use a VPN to keep your internet traffic encrypted and avoid using public Wi-Fi without it. A great tool to boost your awareness is the CellGuard app for iOS. It scans your network for suspicious activity, like rogue base stations, by analyzing things like signal strength and network anomalies. While it may flag some false alarms, it gives you an extra layer of protection.
*   **Cybersecurity Tools**
    *   **Broken Hill: A New Tool to Test AI Models' Weaknesses** \- It is an advanced tool that makes it easy to trick large AI models into misbehaving by bypassing their restrictions. It uses the Greedy Coordinate Gradient (GCG) attack to craft clever prompts that push popular models, like Llama-2 and Microsoft's Phi, to respond in ways they normally wouldn't. The best part? You can run it on consumer GPUs, like the Nvidia RTX 4090, without needing costly cloud servers. Ideal for researchers and security testers, Broken Hill helps uncover and fix vulnerabilities in AI models, making it a must-have tool in the fight against AI threats.
*   **Tip of the Week**
    *   **Your Browser Extensions Are Spying on You:** Browser extensions can be useful but also risky, with potential access to your data or hidden malware. Protect yourself by removing unused extensions, checking their permissions, and only allowing them to run on specific sites. Enable "Click to activate" for more control, and use tools like Chrome's Extension Source Viewer to spot any suspicious behavior. Keep extensions updated, monitor network traffic for unusual activity, and consider using a separate browser for sensitive tasks. Features like Firefox's Temporary Container Tabs can also help by isolating extension access. These simple steps can keep your browsing safer.

****Conclusion****

And that's how the cybersecurity cookie crumbles this week! But listen, before you log off and chill, remember this: always double-check the sender's email address before clicking any links, even if it looks like it's from your bestie or your bank. Phishing scams are getting sneakier than ever, so stay sharp! Until next time, stay safe and cyber-aware!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and Trends (Oct 7 - Oct 13)

A list of topics we covered in the week of October 7 to October 13 of 2024

October 10, 2024 - The Internet Archive has been hit hard by a data breach and several DDoS attacks all around the same time.

October 9, 2024 - While Google is experimenting on how its search results page looks like, we are reminded of what users need the most: indicators of confidence.

October 9, 2024 - Chatbot companion platform muah.ai was hacked and had its chatbot prompts stolen.

October 8, 2024 - Money transfer giant MoneyGram has notified customers about a data breach that has spilt sensitive customer information.

October 8, 2024 - This week on the Lock and Code podcast, we speak with Zach Hinkle and Pieter Arntz about the Facebook funeral livestream scam.

Tag

#ddos