Emerging Botnet “Gorilla” Launches Large-Scale DDoS Attacks Across Multiple Countries DDoS

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the discovery of the VeilShell malware used by North Korean APT37 hackers in spear-phishing attacks targeting Southeast Asia. This campaign employs malicious LNK files to enable data exfiltration and persistence. Additionally, the China-linked CeranaKeeper group is conducting large-scale data theft across Southeast Asia using covert communication via GitHub. The emerging Gorilla botnet, based on Mirai’s source code, has launched DDoS attacks in over 100 countries by exploiting Apache Hadoop YARN RPC vulnerabilities. Meanwhile, a critical flaw (CVE-2024-28888) in Foxit Reader is being exploited, and CISA warns of unencrypted cookies in F5 BIG-IP being used for network reconnaissance. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. North Korean Hackers Strike with New VeilShell Backdoor in Targeted Cyber Attacks

North Korean threat actors linked to APT37 are deploying a new backdoor, VeilShell, in a campaign targeting Cambodia and Southeast Asia. Delivered via spear-phishing emails containing a malicious LNK file, the malware uses PowerShell to extract components and achieves persistence through the Startup folder. It tricks users by opening a harmless-looking Excel file while installing malicious files. DomainManager.dll, a key component, acts as a loader, fetching further payloads, including VeilShell, which enables data exfiltration, file manipulation, and persistence.

Recommendations include enabling PowerShell and process creation logging, restricting PowerShell and LNK execution, and blocking malicious domains. Monitoring network traffic, suspicious file activity, and deploying endpoint detection and response (EDR) are essential. Regular security training is advised to raise awareness about the risks of spear-phishing and malicious attachments.

2. China-Linked CeranaKeeper Exploits Southeast Asian Networks in Data Theft

A newly identified threat actor, CeranaKeeper, has been linked to data exfiltration attacks across Southeast Asia, particularly targeting government institutions. Active since early 2022, the group primarily focuses on countries like Thailand, Myanmar, and the Philippines, and appears to align with Chinese strategic interests. CeranaKeeper uses sophisticated techniques, including turning compromised machines into update servers and exploiting GitHub’s pull request and issue comment features for covert communication. The group deploys several custom tools like WavyExfiller, DropboxFlop, OneDoor, and BingoShell, facilitating large-scale data exfiltration.

CeranaKeeper also leverages malware families like TONESHELL, TONEINS, and PUBLOAD for persistence and lateral movement, using techniques such as disabling security products with legitimate drivers. Their continuous tool development enables them to evade detection.

Recommendations include implementing strong network segmentation, using multi-factor authentication (MFA), deploying EDR solutions, and blocking outbound traffic to file-sharing services. Regular software patching, monitoring for unusual network activity, and disabling unnecessary services are essential to mitigating the threat.

3. Emerging Botnet ‘Gorilla’ Launches Large-Scale Attacks Across Multiple Countries

The newly discovered Gorilla botnet, based on Mirai’s leaked source code, has launched widespread DDoS attacks across more than 100 countries, executing over 300,000 attack commands. Targeting IoT devices and cloud hosts, the botnet uses multiple flood techniques, including UDP, SYN, and ACK floods, and exploits an Apache Hadoop YARN RPC vulnerability for remote code execution. Key sectors affected include universities, government agencies, telecoms, banks, and gaming platforms, with China, the U.S., Canada, and Germany being the most impacted.

Gorilla demonstrates advanced persistence by altering system startup configurations and creating service files to maintain control. It also employs encryption and counter-detection techniques to evade security measures, supporting multiple CPU architectures.

Recommendations include patching Apache Hadoop YARN RPC vulnerabilities, monitoring network traffic for abnormal activity like UDP floods and IP spoofing, implementing strict firewall rules, securing IoT devices and cloud hosts, and enabling logging to detect unusual system modifications.

4. Critical Foxit Reader Flaw Exposes Users to Arbitrary Code Execution Risks

A critical vulnerability, CVE-2024-28888, has been discovered in Foxit Reader, allowing attackers to execute arbitrary code via malicious PDFs. The vulnerability can be exploited through phishing emails or compromised websites if the Foxit browser plugin is enabled. Although a patch has been issued, users must update to the latest version to prevent exploitation.

The flaw, a use-after-free vulnerability (CVSS 8.8), stems from improper memory management when handling checkbox field objects within PDFs. Attackers can embed malicious JavaScript into a specially crafted PDF to corrupt memory and execute code. Exploitation requires user interaction, and if the browser plugin is active, visiting a compromised site can trigger the attack without opening the PDF.

Recommendations include updating Foxit Reader to version 2024.3 or later, avoiding suspicious PDFs, disabling JavaScript support, and using antivirus tools to scan files before opening.

5. CISA Warns of Unencrypted Cookies Exploited in F5 BIG-IP for Reconnaissance

CISA has identified threat actors exploiting unencrypted cookies in F5 BIG-IP, enabling them to map target networks and identify non-internet-facing devices. By leveraging persistent cookies, attackers gain valuable network information, potentially leading to further exploitation of vulnerabilities.

The issue involves unencrypted persistent cookies in the F5 BIG-IP Local Traffic Manager (LTM) module, which allows attackers to perform reconnaissance by enumerating internal devices. Although specific threat actors and objectives were not disclosed, the risk is significant as it aids in compromising additional network devices.

Recommendations include configuring cookie encryption within the HTTP profile on F5 BIG-IP devices to protect sensitive data. CISA also suggests using F5’s BIG-IP iHealth diagnostic utility to identify vulnerabilities and improve system security. Regularly updating and following F5 and cybersecurity best practices is essential to prevent such attacks.