Ubuntu Security Notice 7078-1 - Atte Kettunen discovered that Firefox did not properly validate before inserting ranges into the selection node cache. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-7078-1October 22, 2024firefox vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Firefox could be made to crash or run programs as your loginSoftware Description:- firefox: Mozilla Open Source web browserDetails:Atte Kettunen discovered that Firefox did not properly validate beforeinserting ranges into the selection node cache. An attacker could possiblyuse this issue to cause a denial of service or execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  firefox                         131.0.3+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-7078-1  CVE-2024-9936Package Information:  https://launchpad.net/ubuntu/+source/firefox/131.0.3+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-7078-1

Red Hat Security Advisory 2024-8014-03 - Network Observability 1.7 for Red Hat OpenShift. Issues addressed include code execution, cross site scripting, and denial of service vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8014.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Network Observability 1.7.0 for OpenShift  
Advisory ID:        RHSA-2024:8014-03  
Product:            Network Observability  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8014  
Issue date:         2024-10-22  
Revision:           03  
CVE Names:          CVE-2024-34155  
====================================================================

Summary: 

Network Observability 1.7 for Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives  
a detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

Description:

Network Observability 1.7.0

Security Fix(es):

* Network Observability: Code Execution Vulnerability in Send Library (CVE-2024-43799)  
* Network Observability: XSS vulnerability via prototype pollution (CVE-2024-45801)  
* Network Observability: axios: Server-Side Request Forgery (CVE-2024-39338)  
* Network Observability: Denial of Service Vulnerability in body-parser (CVE-2024-45590)  
* Network Observability: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule (CVE-2024-43788)  
* Network Observability: Backtracking regular expressions cause ReDoS (CVE-2024-45296)  
* Network Observability: Improper Input Handling in Express Redirects (CVE-2024-43796)  
* Network Observability: Improper Sanitization in serve-static (CVE-2024-43800)  
* Network Observability: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)  
* Network Observability: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* Network Observability: Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-34155

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2308193  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://bugzilla.redhat.com/show_bug.cgi?id=2310908  
https://bugzilla.redhat.com/show_bug.cgi?id=2311152  
https://bugzilla.redhat.com/show_bug.cgi?id=2311153  
https://bugzilla.redhat.com/show_bug.cgi?id=2311154  
https://bugzilla.redhat.com/show_bug.cgi?id=2311171  
https://bugzilla.redhat.com/show_bug.cgi?id=2312631  
https://issues.redhat.com/browse/NETOBSERV-1377  
https://issues.redhat.com/browse/NETOBSERV-1509  
https://issues.redhat.com/browse/NETOBSERV-1538  
https://issues.redhat.com/browse/NETOBSERV-1540  
https://issues.redhat.com/browse/NETOBSERV-1564  
https://issues.redhat.com/browse/NETOBSERV-163  
https://issues.redhat.com/browse/NETOBSERV-1666  
https://issues.redhat.com/browse/NETOBSERV-1667  
https://issues.redhat.com/browse/NETOBSERV-1733  
https://issues.redhat.com/browse/NETOBSERV-1746  
https://issues.redhat.com/browse/NETOBSERV-1748  
https://issues.redhat.com/browse/NETOBSERV-1753  
https://issues.redhat.com/browse/NETOBSERV-1766  
https://issues.redhat.com/browse/NETOBSERV-1779  
https://issues.redhat.com/browse/NETOBSERV-1783  
https://issues.redhat.com/browse/NETOBSERV-1788  
https://issues.redhat.com/browse/NETOBSERV-1798  
https://issues.redhat.com/browse/NETOBSERV-1805  
https://issues.redhat.com/browse/NETOBSERV-1806  
https://issues.redhat.com/browse/NETOBSERV-1808  
https://issues.redhat.com/browse/NETOBSERV-1811  
https://issues.redhat.com/browse/NETOBSERV-1812  
https://issues.redhat.com/browse/NETOBSERV-1813  
https://issues.redhat.com/browse/NETOBSERV-1816  
https://issues.redhat.com/browse/NETOBSERV-1819  
https://issues.redhat.com/browse/NETOBSERV-1848  
https://issues.redhat.com/browse/NETOBSERV-1884

Red Hat Security Advisory 2024-8014-03

View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: ICONICS, Mitsubishi Electric
Equipment: ICONICS Product Suite, Mitsubishi Electric MC Works64
Vulnerability: Incorrect Default Permissions
2. RISK EVALUATION
Successful exploitation of this vulnerability could result in disclosure of confidential information, data tampering, or a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ICONICS reports that the following versions of ICONICS and Mitsubishi Electric Products are affected:
ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: Version 10.97.3 and prior
Mitsubishi Electric MC Works64: all versions
3.2 Vulnerability Overview
3.2.1 Incorrect Default Permissions CWE-276
There is an incorrect default permissions vulnerability in ICONICS and Mitsubishi Electric products which may allow a disclosure of confidential information, data tampering, or a denial of service condition due to incorrect default permissions.
CVE-2024-7587 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: ICONICS is headquartered in the United States. Mitsubishi Electric is headquartered in Japan.
3.4 RESEARCHER
Asher Davila and Malav Vyas of Palo Alto Networks reported this vulnerability to ICONICS.
4. MITIGATIONS
Version 10.97.3 CFR1 and later is not vulnerable to this issue. ICONICS recommends that users of its products take the following mitigation steps:
For new systems, use the 10.97.3 CFR1 or later version of the ICONICS products.
If planning to use GENESIS64 v10.97.3 or earlier on a new freshly installed system, do not install the included GenBroker32. Instead, download the latest GenBroker32 from ICONICS and install this version if needed.
For systems that already have v10.97.3 or an earlier version, or MC Works64 installed, verify the permissions on the c:\ProgramData\ICONICS folder do not include "Everyone". If this folder is set to provide access to "Everyone", remove this access by performing the following steps:
Right click C:\ProgramData\ICONICS folder and open the Properties display
Open the Security tab
Click Advanced
Click Change Permissions
Select "Everyone" and check the "Replace all object permissions entries with inheritable permission entries from this project" checkbox
Click Remove
ICONICS and Mitsubishi Electric recommends users update the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here(login required).
ICONICS and Mitsubishi Electric is releasing security updates as critical fixes/rollup releases. Refer to the [ICONICS Whitepaper on Security Vulnerabilities])https://iconics.com/About/Security/CERT), and to the for information on the availability of the security updates.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY
October 22, 2024: Initial Publication

ICONICS and Mitsubishi Electric Products

Russia-linked hackers have taken aim at Japan, following its ramping up of military exercises with regional allies and the increase of its defense budget.

Source: StudioProX via Shutterstock

Two Russian hacking groups leveled distributed denial-of-service (DDoS) attacks at Japanese logistics and shipbuilding firms — as well as government and political organizations — in what experts believe are attempts to pressure the Japanese government. The attacks came after lawmakers boosted the nation's defense budget, and its military conducted exercises with regional allies.

The two pro-Russian cyberthreat groups — NoName057(16) and the Russian Cyber Army Team — started attacking Japanese targets on Oct. 14, with more than half of the attacks targeting logistics, shipbuilding, and manufacturing firms, according to network-monitoring firm Netscout. The groups, especially NoName057(16), have made a name for themselves by attacking Ukrainian and European targets following Russia's invasion of Ukraine.

In the latest spate of attacks, the groups targeted Japanese industry and government agencies after the Ministry of Foreign Affairs of the Russian Federation expressed concern over the ramp-up of Japan's military, says Richard Hummel, director of threat intelligence for Netscout.

"Japan had their elections last week, and the leader that took over is no fan of Russia and, in fact, has been very vocal about supporting Ukraine and sending aid," he says. "Japan is also working with the US military on joint exercises and ballistics missiles testing — these are the \[regional events\] that NoName057 will go after."

Related:Hong Kong Crime Ring Swindles Victims Out of $46M

With geopolitical rivalries with China and Russia heating up, Japan is in the midst of its largest military buildup since World War II. In December 2022, the nation unveiled a five-year $320 billion plan that includes long-range cruise missiles that could hit targets in China, North Korea, and Russia. The move marked a significant shift away from Japan's self-defense-only policy, with the government continuing the move by increasing military spending by 16% this year.

On Oct. 17, Japan's Deputy Chief Cabinet Secretary Kazuhiko Aoki said the government is investigating the DDoS attacks.

More than half of the attacks targeted the logistics and manufacturing sector, while nearly a third targeted government agencies and political organizations in Japan, Netscout stated in its analysis.

The Russian group "has leveraged every attack capability of the DDoSia botnet, employing a wide range of direct-path attack vectors against multiple targets," the analysis stated. "As of this writing, approximately 40 targeted Japanese domains have been identified. On average, each domain is hit by three attack waves, utilizing four distinct DDoS attack vectors, utilizing approximately 30 different attack configurations to maximize attack impact."

Related:Iran's APT34 Abuses MS Exchange to Spy on Gulf Gov'ts

**Hacktivists and the Resurgence of DDoS**

The attacks mark the latest shift in DDoS attacks. In the past, 85% to 90% of such attacks originated in the gaming world, with players targeting other players, Netscout's Hummel says. Over the past few years, while many hacktivism attacks amounted to little more than PR stunts, cybercriminals have increasingly used DDoS attacks to cause outages in business operations to support a cause or monetize a botnet — sometimes, both.

US authorities recently charged two Sudanese brothers — 22-year-old Ahmed Salah Yousif Omer and 27-year-old Alaa Salah Yusuuf Omer — following more than 35,000 DDoS attacks during the past 18 months, which targeted government agencies, a major Los Angeles-area hospital, and technology companies. The US Department of Justice charged one of the two brothers with three counts of damage to a protected computer, and the indictment included his message taking credit for "any damage to the hospital ... and their health systems + any collateral damage," according to a federal indictment.

The impact of a DDoS attack on the ability of connected medical devices to operate means that increasingly they will have physical impacts, Hummel says.

Related:DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

The brother was "charged with essentially attempted murder, because they were taking down hospital infrastructure where people needed life-saving technology," he says. "If the Internet goes down, then \[these connected medical devices\] stop functioning, they stop checking in."

**Definitively Russian? Nyet**

Both NoName057 and the Russian Cyber Army Team obviously pursue priorities expressed by the Russian government, but that does not necessarily mean they are a military or intelligence agency operation, Hummel says.

Overall, the groups have claimed 60 attacks against 19 different targets in the weeks following the criticism of Japan's accelerated military buildup by Russia's Minister of Foreign Affairs. In a Telegram post, NoName057(16) confirmed the link.

"Particular discontent was caused by the participation of non-regional NATO member countries in the maneuvers, which, in Russia's opinion, increases the threat and is unacceptable," they stated in the Telegram post (machine translated from Russian). "We punish Russophobic Japan and remind you that any measures directed against Russia may end badly."

The groups' attacks against Japan match with previous targeting against any critic of Russia or its strategy, Hummel says.

"I can't say definitively if they are part of the Russian government ... or if any agency is giving them direct instructions," he says. "What I can tell you is that all of the targeting is against groups that are anti-Russia or anti-Muslim. And oftentimes, it's usually going to be in that political sphere when people are vocal about their support of anybody against Russia."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia-Linked Hackers Attack Japan's Govt, Ports

This latest breach was through Zendesk, a customer service platform that the organization uses.

Source: Postmodern Studio via Alamy Stock Photo

Just a few days after the Internet Archive told the public it was getting back on its feet after a data breach and a barrage of distributed denial-of-service (DDoS) attacks forced it to go offline, the digital library website is once again in trouble.

Unknown bad actors have allegedly claimed access tokens to the archive's Zendesk implementation, using them to send a mass email on Oct. 20 to those who tried to interact with the archive's platform.

The email began as follows:

"It's dispiriting to see that even after being made aware of the breach two weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their GitLab secrets," the hacker stated. “As demonstrated by this message, this includes a Zendesk token with perm\[ission\]s to access 800K+ support tickets sent to \[email protected\] since 2018." 

The email continued, "Whether you were trying to ask a general question or requesting the removal of your site from the Wayback Machine — your data is now in the hands of some random guy. If not me, it'd be someone else."

Though it can’t be said for certain, Chris Hickman, chief security officer (CSO) of Keyfactor, said the hacker may not have serious malicious intent, but instead wants to prove a point: that those in charge of the Internet Archive must be more proactive in protecting its network from those who would do much worse.

"This is a security oversight as tokens that are not rotated regularly have longer lifespans, increasing the window of opportunity for attackers to steal and misuse them," Hickman wrote in an emailed statement to Dark Reading. "If a token is not rotated correctly, it might expire, leading to authentication failures for legitimate users. If a malicious actor obtains an unrotated token, they could use it to gain unauthorized access to systems or services, leading to service disruptions and customer frustration, damaging a company's reputation and bottom line."

The organization hasn't made any public comments regarding the latest breach, but it did request donations last week to help support its endeavors of promoting open access to knowledge resources.

Internet Archive Gets Pummeled in Round 2 Breach

The Internet Archive (Archive.org) suffered a second security breach in October 2024, exposing support tickets through unrotated Zendesk…

The Internet Archive (Archive.org) suffered a second security breach in October 2024, exposing support tickets through unrotated Zendesk API tokens. The organization faces reputational damage and risks to user data.

The Internet Archive, a non-profit organization founded by Brewster Kahle to preserve the Internet’s history, has been experiencing a series of cyberattacks throughout October 2024. It all started on October 9th with a dual attack: a data breach and a Distributed Denial-of-Service (DDoS) attack, which were **promptly reported by Hackread.com**.

The attack was revealed with a message displayed on the Internet Archive’s website (archive.org), with the hackers themselves, taunting the organization’s security vulnerabilities and announcing the stolen data on a website called “Have I Been Pwned?” (HIBP). 

Reportedly, the hackers exploited a GitLab token, compromising the Archive’s source code and stealing user data from 31 million accounts. This exposed sensitive information, including Bcrypt-hashed passwords and email addresses.

A Pro-Palestinian group SN\_BlackMeta launched another DDoS attack around the same time, temporarily knocking the site offline, including the Wayback Machine, which collects snapshots of hundreds of billions of web pages. While these attacks coincided, they were likely conducted by separate entities.

On October 18, Kahle **confirmed** that stored data is safe and that “Wayback Machine, Archive-It, scanning, and national library crawls have resumed.” He also stated that the organization is taking a cautious approach to rebuilding and strengthening defences.

However, the Internet Archive experienced another security breach on 20 October 2024, where hackers exploited unrotated Zendesk API tokens to access its support platform. The breach exposed thousands of support tickets dating back to 2018, potentially containing personal identification documents, and highlighted a critical lapse in the Archive’s security practices, leading to a failure to rotate access tokens regularly.

According to online malware repository VX-Underground, “The Internet Archive users are reporting to have received this e-mail. It appears that the person(s) who compromised The Internet Archive still maintain some form of persistent access and are trying to send a message.”

****What Now for the Internet Archive?****

The Archive suffered multiple breaches due to vulnerabilities in its infrastructure, allowing attackers to access user data. It is speculated that the attacks were motivated by reputation rather than financial gain, with hackers seeking recognition within hacker communities. Although no ransom demands were made, the stolen data poses risks like **phishing attacks and identity theft**.

The Internet Archive hasn’t yet commented on the recent breach. Nevertheless, considering that it serves as a crucial repository of historical digital information, the series of attacks raise concerns about the long-term safety of this digital treasure trove and signifies the importance of strong cybersecurity measures. Regular security audits, secure coding practices, and prompt responses to vulnerabilities are essential for protecting user data and critical infrastructure. 

1.  **DDoS Attacks Hit France Over Telegram’s Pavel Durov Arrest**
2.  **Archive of Our Own Website Suffering Massive DDoS Attacks**
3.  **Examining the US Government’s DDoS Protection Guidance Update**
4.  **Panamorfi DDoS Attack Exploits Misconfigured Jupyter Notebooks**
5.  **Misconfigured AWS bucket exposed 421GB of Artwork Archive data**

Internet Archive (Archive.org) Hacked for Second Time in a Month

Debian Linux Security Advisory 5793-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5793-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonOctober 20, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-9954 CVE-2024-9955 CVE-2024-9956 CVE-2024-9957                  CVE-2024-9958 CVE-2024-9959 CVE-2024-9960 CVE-2024-9961                  CVE-2024-9962 CVE-2024-9963 CVE-2024-9964 CVE-2024-9965                  CVE-2024-9966Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 130.0.6723.58-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmcUsNcACgkQZF0CR8Nudjd6rg//bZLkI/saFvjiULKRewv88ToCLOpx5l4ht0nHNYjW0Sy1I0FP3YtN8oZN4jJ+pJjDbxEkNDFmoPWVZP+wsUEtBottwQ1mkhSVroH9dJeNs9jWs4Rnxp7S6d3wsIYEQ99gQrPpjBr8jTSjffrLZzc0QlltdiVoc3A2RW9+RSKb/Yql+ylIRJGNI4frHDTkuFVRpC6m+T25Fbak3zF7v8tSOiQNH/2LE/Ez9wV3/PwQxTj6eGRLrJ0SkvwlDh8Z9Y8rm6auLTOxriA3dJfZR1rcmJN4kROyTMBwJTmdfCx03kyHQhxLowEABflzpyUdhqvrFAnnrfLqxTDO9odXJl7uu7sQiM4ed0LSKaX+ycrtHUhmZjWSlhbdE7eywZNAKX9rWf3ZkzqMz8gj256YPbAf1stq/I5vMlophU91X70KNMkogNIdo86ntxkB+vl6ded4LLcUFZYKrdurWD86QNNx0lQRXTlBGfTN+f0ujySbpvBGalpgK2UwLUVhP44q5ZhB1vvgw7ZwVQhpF7Cr1mb0bgR3WYg4XUZKG0jv+UQMR6yW2RxMaOkaKGbUXod+/L0OgN28yw10mg0PKBJKCR5iIxMj+jIAhlOPxiMBZbGYwYzPM5bgqwFRvXdgW1CiVrnRKVp2gN/RPmqF54ExcqyQN1TN4uguzHST/A1xUbtWtt8==vfgN-----END PGP SIGNATURE-----

Debian Security Advisory 5793-1

A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS.…

A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS. This botnet, which utilizes Mirai botnet source code and advanced techniques, poses a growing and global threat.

NSFOCUS Global Threat Hunting System has detected a new cybersecurity threat: The Gorilla Botnet. In September 2024, this botnet launched a massive series of distributed denial-of-service attacks (DDoS attacks), targeting over 300,000 targets in over 100 countries.

According to NSFOCUS, a renowned Chinese company specializing in application security, Gorilla Botnet is inspired by the infamous **Mirai botnet** and has become a major concern due to its wide reach and stealth capabilities. Gorilla Botnetleverages a network of compromised IoT devices like an army to launch large-scale DDoS attacks. These attacks flood targeted systems with traffic, crippling their access to users.

What makes Gorilla Botnet particularly dangerous is its use of encryption to obscure key data, ensuring long-term control over compromised devices and supporting various CPU architectures, making it compatible with a wide range of devices.

Gorilla Botnet uses a distributed C&C network to manage its operations and offers a variety of DDoS attack methods, including UDP Flood, ACK Bypass Flood, and VSE Flood. Additionally, it utilizes connectionless protocols like UDP to spoof IP addresses and further hide its origin.  

****Global Reach and Impact****

Since September 2024, when its activity was first detected, Gorilla has wasted no time making its mark. In just a month, the botnet unleashed over 300,000 attack commands, averaging a whopping 20,000 per day.

This series of attacks targeted over 100 countries, including economic powerhouses like:

*   **China**
*   **Canada**
*   **Germany**
*   **United States**

Additionally, critical infrastructure including universities, government websites, telecoms, banks, and gaming platforms, fell victim to these attacks.  

****Advanced Capabilities****

According to NSFOCUS’s **report**, Gorilla Botnet’s sophistication goes beyond its attack methods. The malware incorporates encryption algorithms commonly **used** by the notorious **Keksec** hacking group, making it difficult to detect/analyze.

The botnet also shows a strong focus on persistence. By exploiting vulnerabilities like the Apache Hadoop YARN RPC flaw and installing services that automatically execute on system startup, Gorilla becomes a stubborn opponent to eradicate.   

Organizations should strengthen their cybersecurity to address the growing threat of the Gorilla Botnet. Firewalls help block suspicious traffic, while intrusion detection systems (IDS) can spot unusual activity and alert security teams. Using cloud-based **DDoS protection** can also help reduce high-volume attacks, minimizing downtime for critical systems.

1.  Goldoon Botnet Hit D-Link Devices by Exploiting 9-Year-Old Flaw
2.   Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
3.  Golang Botnet “Zergeca” Discovered, Delivers Brutal DDoS Attacks
4.  Mirai-like Botnet Hits Zyxel NAS Devices in Europe for DDoS Attacks
5.  US Charges Duo Behind Anonymous Sudan for 35,000 DDoS Attacks

Mirai-Inspired Gorilla Botnet Hits 0.3 Million Targets Across 100 Countries

Plus: The alleged SEC X account hacker gets charged, Kroger wriggles out of a face recognition scandal, and Microsoft deals with missing customer security logs.

In what may be a first, the US Department of Justice this week charged a hacker with attempting to cause injury and death by launching distributed denial-of-service (DDoS) attacks against hospitals. Ahmed Omer and his brother Alaa are accused of carrying out a cyberattack spree that targeted hundreds of victims under the hacktivist banner Anonymous Sudan. The group’s DDoS victims included Microsoft’s Azure cloud services, OpenAI’s ChatGPT, and Israel’s missile alert system, according to prosecutors. It was the brothers’ alleged attacks on hospitals, however, that drew the most serious accusations from the Justice Department, which singled out Ahmed for allegedly seeking to kill people with the crude cyberattacks that overwhelm systems, knocking them offline.

If someone told you there’s a tool that can—using only open source information—create a “cyber profile” of you that can locate your phone in real time or place you at the scene of a crime at any date in the past, would you believe them? Canadian firm Global Intelligence claims to have created such a tool, dubbed Cybercheck, which it has sold to police departments across the US. Cybercheck-generated reports have been used to help convict at least two people of murder. However, a WIRED investigation found that Cybercheck’s reports have produced information that is either inaccurate or impossible to verify. And open source experts say some of the information Cybercheck claims to include—such as a device’s pings to a specific wireless network—would be impossible to obtain from publicly available sources.

The scourge of nonconsensual deepfake images has continued to proliferate, including on Telegram, where millions of people used “nudify” bots to “remove the clothes” of anyone—usually women and girls. A WIRED investigation identified 50 such bots and 25 channels linked to the creation of these abusive AI-generated explicit images. Telegram removed all 75 channels and bots after WIRED reached out, but many of them will likely respawn.

The slow death of the password may have gotten a speed boost this week. The FIDO Alliance, a tech industry association, announced new efforts to help hasten the adoption of passkeys, the cryptographically generated codes that are already replacing less-secure passwords. These efforts include a new Credential Exchange Protocol, which makes it easier to migrate passkeys between platforms and devices, and Passkey Central, a resource for company IT departments that aims to make it easier for organizations to adopt passkeys.

A group of researchers revealed this week that they created an algorithm that generates a malicious prompt capable of instructing an AI chatbot to identify personal information fed into it by a user and secretly send it to an attacker.

Finally, we went back in time to explore how well the US Army’s “solider of tomorrow,” unveiled 65 years ago this week, predicted the future of US military tech.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

If you use uBlock Origin’s Chrome extension to filter out online ads, expect to get mildly annoyed in the near future. Google has begun implementing new Chrome extension standards, called Manifest V3, that will disable the legacy version of uBlock Origin’s extension that most users likely have installed. And while you might be thinking, “Google is a silverback gorilla of online advertising, of course they’re finally forcing me to see ads!” there is some good news. A new version of the ad-filtering extension that meets the Manifest V3 standards, uBlock Origin Lite, is now available. Then again, it won’t block as much as the previous iteration of uBlock. Still, as a Google spokesperson told The Verge, you have options: “The top content filtering extensions all have Manifest V3 versions available — with options for users of AdBlock, Adblock Plus, uBlock Origin and AdGuard.” Either way, you’ll need to install a new extension soon.

**Alabama Man Charged in Hack of the SEC’s X Account**

US authorities announced charges this week against a 25-year-old Alabama man accused of hacking the Security and Exchange Commission’s X account. Prosecutors claim Eric Council Jr. obtained personal information and the materials for a fake ID of a person who controlled the @SECGov account from unidentified coconspirators. Council allegedly used the fake ID to carry out a SIM-swapping attack, duping AT&T retail store staff into giving him a new SIM card, which he ultimately used to take control of the victim’s phone account. The coconspirators used that to gain access to the SEC’s X account, where they posted a fake announcement about Bitcoin’s regulatory status, which was followed by a price jump of $1,000 per bitcoin. Council stands charged of conspiracy to commit aggravated identity theft and access device fraud.

**Kroger Says It Won’t Use Facial Recognition in Its Grocery Stores**

The grocery store chain Kroger has never used facial-recognition technology broadly in its stores and has no current plans to, a spokesperson told Fast Company this week. The company has been facing a firestorm over its use of electronic shelving labels over concerns that ESLs could be used to impose surge pricing on popular items, and fears that the devices could also be deployed with facial recognition. The company did a single-store facial-recognition pilot of a technology called EDGE in 2019, but it did not move forward with the service. US lawmakers including Rashida Tlaib, Elizabeth Warren, and Robert Casey have publicly raised concerns about Kroger’s use of ESLs.

**Microsoft Is Missing More Than 2 Weeks of Cloud Customers’ Security Logs**

Microsoft told customers that it failed to capture more than two weeks of security logs from certain cloud services in September, including Microsoft Entra, Sentinel, Defender for Cloud, and Purview. News of the lost logs was first reported by Business Insider. The company said in the notification that “a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform.” The blank extends from September 2 to September 19. A Microsoft executive confirmed to TechCrunch that the incident was caused by an “operational bug within our internal monitoring agent.”

System activity logs are crucial for all sorts of operations and are particularly used for security monitoring and investigations, because they can expose breaches and malicious activity. After Russian hackers breached US government networks through SolarWinds software in 2020, many agencies couldn’t detect the activity in their Microsoft Azure cloud services because they weren’t paying for Microsoft’s premium tier features, so they didn’t have adequate network activity logs. Lawmakers were outraged about the up-charge, and the Biden administration worked for more than two years to get Microsoft to make the logging services free. The company ultimately announced the change in July 2023.

Google Chrome’s uBlock Origin Purge Has Begun

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

Tag

#dos