A threat actor called Matrix has been linked to a widespread distributed denial-of-service (DoD) campaign that exploits vulnerabilities and misconfigurations in Internet of Things (IoT) devices to co-opt them into a disruptive botnet.
“This operation serves as an end-to-end package for scanning, exploiting vulnerabilities, deploying malware, and configuring shop kits, demonstrating a self-contained approach to cyber attacks,” Assaf Morag, director of threat intelligence at Cloud Security. Aqua company said.
There is evidence that the operation is the work of a lone wolf actor, a screenwriter of Russian origin. The attacks mainly targeted IP addresses in China, Japan and to a lesser extent in Argentina, Australia, Brazil, Egypt, India and the US
The absence of Ukraine in the victimological trail indicates that the attackers are driven solely by financial motives, the cloud security firm said.
Attack chains are characterized by the use of known security flaws and standard or weak credentials to gain access to a wide range of Internet-connected devices such as IP cameras, video recorders, routers and telecommunications equipment.
The attacker was also seen using misconfigured Telnet, SSH, and Hadoop servers with a particular focus on IP address ranges associated with cloud service providers (CSPs) such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.
The malware also relies on a wide variety of public scripts and tools available on GitHub, ultimately deploying the Mirai botnet malware and other DDoS-related programs on compromised devices and servers.
This includes PYbot, pinette, DiscordGo, Homo Networka JavaScript program that implements an HTTP/HTTPS flooding attack and a tool that can disable Microsoft Defender Antivirus on Windows machines.
Matrix was also found to be using their own GitHub account, which they opened in November 2023, to host some of the DDoS artifacts used by the company.
The entire offering is also believed to be advertised as a DDoS-for-hire service through a Telegram bot called “Kraken Autobuy,” which allows customers to choose from different tiers in exchange for payment in cryptocurrency to carry out the attacks.
“This campaign, while not particularly sophisticated, demonstrates how available tools and basic technical knowledge can allow individuals to launch a broad, multifaceted attack against multiple vulnerabilities and misconfigurations of networked devices,” Morag said.
“The simplicity of these techniques underscores the importance of applying basic security practices such as changing default credentials, securing administrative protocols, and applying timely firmware updates to protect against widespread opportunistic attacks like this one.”
The disclosure comes as NSFOCUS shines a light on a family of evasive botnets XorBot from November 2023 mainly targeting Intelbras cameras and routers from NETGEAR, TP-Link and D-Link.
“As the number of devices controlled by this botnet increased, the operators behind it also began to actively engage in profitable operations, openly advertising DDoS attack-for-hire services,” the cybersecurity company said in a statement. saidadding that the botnet is advertised under the alias Masjesu.
“At the same time, by adopting advanced techniques such as injecting redundant code and obfuscating signature patterns, they have improved file-level defenses, making it more difficult to monitor and identify their attack.”
