- Monthly Threat Brief - July 30, 2024
Top 5 DDoS attacks making headlines in cybersecurity (July 2024)
At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.
This monthly post provides a condensed overview of the threats encountered throughout the month.
Our team brings to you five emerging DDoS threats that you should be aware of , including hacktivist groups targeting Indian BFSI sector with DDoS attacks, the emergence of Golang-based Zergeca botnet with high-impact DDoS capabilities, Muhstik botnet leveraging Apache RocketMQ weakness for DDoS attacks, OVHcloud thwarting a record-breaking 840 million PPS DDoS attack from MikroTik routers, and the exploitation of a PHP flaw within 24 hours of disclosure for DDoS attacks.
Read on to discover more….
1. Regional body alerts Indian BFSI sector to heightened cyberattack risks
Indian banks are on high alert following warnings from a regional governing body about potential cyber-attacks driven by geopolitical tensions, particularly India’s perceived stance on the recent conflicts. Hacktivist groups, including Lulzsec, have targeted these banks with DDoS attacks, data breaches, and cryptocurrency scams via hijacked social media accounts.
Key incidents include breaches of major banks’ websites, successful DDoS attacks, and leaks of sensitive customer information. Banks have been instructed to monitor critical systems like SWIFT, RTGS, and UPI. These cyber threats pose significant risks to digital wallets and banking applications, impacting not only Indian banks but also financial institutions in the UK, Europe, the U.S., and Israel.
2. Emerging Golang-based Zergeca botnet with high-impact capabilities
Cybersecurity researchers have discovered Zergeca, a sophisticated new botnet developed in Golang, capable of launching distributed denial-of-service (DDoS) attacks using six different methods. Beyond typical DDoS capabilities, Zergeca supports proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information. Named after the term “ootheca” found in its command-and-control (C2) servers, Zergeca uses DNS-over-HTTPS (DoH) for C2 resolution and the Smux library for communications.
The botnet’s C2 IP, previously linked to the Mirai botnet, suggests its developers have prior experience with Mirai. From early to mid-June 2024, Zergeca targeted Canada, Germany, and the U.S. with ACK flood attacks. Its four main modules—persistence, proxy, silivaccine, and zombie—enable various functions, including removing competing malware and controlling devices with x86-64 CPU architecture. The malware employs advanced evasion tactics such as modified UPX packing and XOR encryption for sensitive strings.
3. Muhstik botnet leveraging Apache RocketMQ for DDoS attacks
The Muhstik DDoS botnet has been detected exploiting a critical vulnerability (CVE-2023-33246) in Apache RocketMQ, allowing it to hijack vulnerable servers and expand its network. Known for targeting IoT devices and Linux servers, Muhstik combines cryptocurrency mining with DDoS attacks. This exploit enables remote code execution by manipulating the RocketMQ protocol or update configuration feature, leading to the download of the Muhstik malware.
The malware ensures persistence by duplicating itself across directories and modifying system files to restart during boot. Employing evasion tactics, it hides as “pty3” and executes from memory. Muhstik collects system metadata, moves laterally via SSH, and communicates with a C2 domain using IRC to conduct flooding attacks. With over 5,216 instances of Apache RocketMQ still exposed, organizations must update to the latest version to mitigate risks.
4. OVHcloud thwarts 840 million PPS DDoS attack from routers malware
In April 2024, OVHcloud successfully mitigated a record-breaking DDoS attack that peaked at 840 million packets per second (Mpps), surpassing the previous record of 809 million Mpps from 2020. The attack combined a TCP ACK flood from 5,000 source IPs and a DNS reflection attack using 15,000 DNS servers.
OVHcloud noted a rise in the frequency and intensity of DDoS attacks, with many exceeding 1 terabit per second (Tbps). Compromised MikroTik routers, vulnerable due to outdated software, played a significant role. The attack highlighted the adversaries’ capability to channel massive packet rates through limited points of presence, posing significant challenges for mitigation.
5. PHP flaw exploited within 24 Hours of disclosure for DDoS attacks
Within a day of its disclosure in early June 2024, the critical PHP security flaw CVE-2024-4577 (CVSS score: 9.8) began being exploited by multiple threat actors. This vulnerability, which allows remote execution of commands on Windows systems using Chinese and Japanese locales, is being used to deploy remote access trojans, cryptocurrency miners, and DDoS botnets.
Security researchers noted the rapid exploitation of this flaw, detecting attacks involving Gh0st RAT, RedTail and XMRig miners, and the Muhstik botnet. Additionally, researchers reported that TellYouThePass ransomware actors are leveraging this flaw to distribute a .NET variant of their ransomware. The flaw exploits Unicode-to-ASCII conversion errors in PHP, enabling attackers to pass malicious arguments directly.
Key recommendations to combat cyber risks:
- Invest in DDoS protection services and utilize cloud-based DDoS protection to distribute traffic and absorb attacks.
- Implement traffic filtering with firewalls and other security measures.
- Regularly update and patch all systems and software.
- Conduct regular security audits and employee training on phishing and social engineering attacks.
- Implement strict access controls and monitor for unauthorized access on social media accounts.
- Develop and regularly update an incident response plan to address potential security incidents swiftly.
- Implement continuous monitoring of network traffic to detect unusual patterns indicative of DDoS attacks or other malicious activities.
- Ensure all devices are equipped with up-to-date antivirus and anti-malware solutions.
- Regularly update router firmware and operating systems to the latest versions.
- Enforce strong authentication mechanisms to prevent unauthorized access.
- Deploy intrusion detection systems (IDS) to identify and block exploitation attempts in real-time.
To get updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories or check out SISA Weekly Threat Watch on our website.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.