Matrix, a threat actor, has been connected to a pervasive distributed denial-of-service (DoD) operation that uses Internet of Things (IoT) device vulnerabilities and setups to co-opt them into a disruptive botnet.
“This operation serves as a comprehensive one-stop shop for scanning, exploiting vulnerabilities, deploying malware, and setting up shop kits, showcasing a do-it-all-yourself approach to cyberattacks,” Assaf Morag, director of threat intelligence at cloud security firm Aqua, said.
There is proof that the operation was carried out by a lone wolf actor, a Russian script kiddie. IP addresses in China and Japan have been the main targets of the attacks, with smaller amounts also coming from Argentina, Australia, Brazil, Egypt, India, and the United States.
According to the cloud security company, the lack of Ukraine in the victimology trace shows that the attackers are only motivated by money.
The attack chains are typified by the use of default or weak credentials, together with known security flaws, to gain access to a wide range of internet-connected devices, including routers, IP cameras, DVRs, and telecom equipment.
Targeting IP address ranges connected to cloud service providers (CSPs) such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, the threat actor has also been seen using improperly configured Telnet, SSH, and Hadoop servers.
In order to install the Mirai botnet malware and other DDoS-related applications on hacked devices and servers, the malicious activity also makes use of a large number of publicly accessible scripts and tools that are accessible on GitHub.
This includes a JavaScript program that executes an HTTP/HTTPS flood attack, PYbot, pynet, DiscordGo, Homo Network, and a utility that can turn off the Microsoft Defender Antivirus software on Windows computers.
Additionally, it was discovered that Matrix staged some of the DDoS artifacts utilized in the attack using a GitHub account they created in November 2023.
A Telegram bot called “Kraken Autobuy” is thought to be used to promote the entire offering as a DDoS-for-hire service, allowing users to select from various levels in exchange for a cryptocurrency payment to launch the attacks.
“This campaign, while not highly sophisticated, demonstrates how accessible tools and basic technical knowledge can enable individuals to execute a broad, multi-faceted attack on numerous vulnerabilities and misconfigurations in network-connected devices,” Morag said.
“The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one.”
The revelation coincides with NSFOCUS’s exploration of the XorBot family of evasive botnets, which since November 2023 have mostly targeted Intelbras cameras and routers made by NETGEAR, TP-Link, and D-Link.
“As the number of devices controlled by this botnet increases, the operators behind it have also begun to actively engage in profitable operations, openly advertising DDoS attack rental services,” the cybersecurity company said, adding the botnet is advertised under the moniker Masjesu.
“At the same time, by adopting advanced technical means such as inserting redundant code and obfuscating sample signatures, they have improved the defensive capabilities at the file level, making their attack behavior more difficult to monitor and identify.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
