New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries
Summary:
Researchers have identified a new botnet malware family called Gorilla or GorillaBot, which is a variant of the Mirai botnet source code. Discovered by NSFOCUS, this malware has shown significant activity between September 4 and September 27, 2024, during which it executed over 300,000 attack commands, with an average of 20,000 DDoS commands per day. The botnet has targeted more than 100 countries, primarily affecting sectors like universities, government websites, telecoms, financial institutions, and the gaming and gambling industries. The most impacted nations include China, the U.S., Canada, and Germany.
Gorilla leverages several DDoS techniques, including UDP, ACK BYPASS, Valve Source Engine, SYN, and ACK floods, enabling it to generate large volumes of malicious traffic and overwhelm systems. Its ability to spoof IP addresses via the UDP protocol makes it particularly effective in executing distributed denial-of-service attacks.The botnet supports various CPU architectures, such as ARM, MIPS, and x86, which broadens its capability to infect a wide range of IoT devices and cloud environments. It communicates with one of five command-and-control servers to receive attack instructions.
Security Officer Comments:
In addition to its DDoS functionality, Gorilla exploits a known vulnerability in Apache Hadoop YARN RPC, allowing it to achieve remote code execution. This security flaw has been previously exploited since 2021 and is well-documented by cloud providers and cybersecurity firms. Gorilla demonstrates advanced counter-detection techniques, employing encryption methods used by the Keksec group to hide critical information and avoid detection. Its persistence mechanisms ensure that it remains operational on compromised systems over the long term, allowing the botnet to retain control of infected IoT devices and cloud hosts.
Suggested Corrections:
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.
If IoT devices must be used, users should consider segmenting them from sensitive networks.
Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.
Link(s):
https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.html
https://nsfocusglobal.com/over-300000-gorillabot-the-new-king-of-ddos-attacks/
Researchers have identified a new botnet malware family called Gorilla or GorillaBot, which is a variant of the Mirai botnet source code. Discovered by NSFOCUS, this malware has shown significant activity between September 4 and September 27, 2024, during which it executed over 300,000 attack commands, with an average of 20,000 DDoS commands per day. The botnet has targeted more than 100 countries, primarily affecting sectors like universities, government websites, telecoms, financial institutions, and the gaming and gambling industries. The most impacted nations include China, the U.S., Canada, and Germany.
Gorilla leverages several DDoS techniques, including UDP, ACK BYPASS, Valve Source Engine, SYN, and ACK floods, enabling it to generate large volumes of malicious traffic and overwhelm systems. Its ability to spoof IP addresses via the UDP protocol makes it particularly effective in executing distributed denial-of-service attacks.The botnet supports various CPU architectures, such as ARM, MIPS, and x86, which broadens its capability to infect a wide range of IoT devices and cloud environments. It communicates with one of five command-and-control servers to receive attack instructions.
Security Officer Comments:
In addition to its DDoS functionality, Gorilla exploits a known vulnerability in Apache Hadoop YARN RPC, allowing it to achieve remote code execution. This security flaw has been previously exploited since 2021 and is well-documented by cloud providers and cybersecurity firms. Gorilla demonstrates advanced counter-detection techniques, employing encryption methods used by the Keksec group to hide critical information and avoid detection. Its persistence mechanisms ensure that it remains operational on compromised systems over the long term, allowing the botnet to retain control of infected IoT devices and cloud hosts.
Suggested Corrections:
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.
If IoT devices must be used, users should consider segmenting them from sensitive networks.
Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.
Link(s):
https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.html
https://nsfocusglobal.com/over-300000-gorillabot-the-new-king-of-ddos-attacks/