Headline
‘Matrix’ Hackers Deploy Massive New IoT Botnet for DDoS Attacks
Aqua Nautilus researchers have discovered a campaign powering a series of large-scale DDoS attacks launched by Matrix, which…
Aqua Nautilus researchers have discovered a campaign powering a series of large-scale DDoS attacks launched by Matrix, which could be a Russian threat actor. Learn about the vulnerabilities exploited, the techniques used, and the possible impact on businesses worldwide.
Cybersecurity researchers at Aqua Nautilus have discovered a new Distributed Denial of Services (DDoS) campaign launched by a threat actor known as Matrix, exploiting readily available tools and minimal technical expertise.
According to Aqua Nautilus’ investigation, shared with Hackread.com, Matrix, which the researchers have labeled as script kiddies, targets a large network of internet-connected devices, including IoT devices, cameras, routers, DVRs, and enterprise systems, marking a transformation in focus for DDoS attacks.
The attackers use different techniques, mapped to the MITRE ATT&CK framework, primarily relying on brute-force attacks, exploiting weak default credentials and misconfigurations to gain initial access.
Once compromised, devices are incorporated into a larger botnet. The attackers also utilize various public scripts and tools to scan for vulnerable systems, deploy malware, and execute attacks.
According to Aqua Nautilus’ blog post, despite initial indications of Russian affiliation, the lack of Ukrainian targets suggests a primary focus on financial gain rather than political objectives. Matrix has created a Telegram bot, Kraken Autobuy, to sell DDoS attack services targeting Layer 4 (Transport Layer) and Layer 7 (Application Layer) attacks, further emphasizing the commercialization of this campaign.
(Via Aqua Nautilus)
The campaign exploits a mix of recent and older vulnerabilities, including the following:
- CVE-2014-8361
- CVE-2017-17215
- CVE-2018-10562
- CVE-2022-30525
- CVE-2024-27348
- CVE-2018-10561
- CVE-2018-9995
- CVE-2018-9995
- CVE-2017-18368
- CVE-2017-17106
These vulnerabilities, combined with the widespread use of weak credentials, create a significant attack surface for malicious actors. Most activity (around 95%) occurs during weekdays, suggesting a more structured approach
Matrix utilizes a GitHub account to store and manage malicious tools and scripts, mainly written in Python, Shell, and Golang.
“A significant focus has been placed on repositories such as scanner, gggggsgdfhgrehgregswegwe, musersponsukahaxuidfdffdf, and DHJIF. These repositories house various tools designed for scanning, exploiting, and deploying malware—primarily Mirai and other DDoS-related tools—on IoT devices and servers,” researchers noted.
The screenshot shows successful login into a camera panel using weak credentials (Via Aqua Nautilus)
On the other hand, Virus Total identified various tools being used for launching DDoS attacks, including DDoS Agent, SSH Scan Hacktool, PyBot, PYnet, DiscordGo Botnet, HTTP/HTTPS Flood Attack, and the Homo Network. These tools allow for controlling compromised devices, launching large-scale DDoS attacks against targets of choice, and utilizing Discord for communication and remote control.
The potential impact of this campaign is significant, with millions of internet-connected devices potentially vulnerable to exploitation. “Nearly 35 million devices are vulnerable. If 1% are compromised, the botnet could reach 350,000 devices; at 5%, it could grow to 1.7 million, rivalling major past attacks,” researchers noted.
The primary impact is denial-of-service to servers, disrupting businesses and online operations. Compromised servers can lead to service provider deactivation, impacting businesses relying on them. A limited cryptocurrency mining operation targeting ZEPHYR was observed, yielding minimal financial gain.
To stay safe, organizations should prioritize strong security practices like regular patching, strong password policies, network segmentation, intrusion detection systems, web application firewalls, and regular security audits to reduce their exposure to DDoS attacks and other cyber threats.
- Mirai-Inspired Gorilla Botnet Hits 0.3M Devices Globally
- Goldoon Botnet Hit D-Link Devices by Exploiting 9-Year-Old Flaw
- Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
- Golang Botnet “Zergeca” Discovered, Delivers Brutal DDoS Attacks
- Mirai-like Botnet Hits Zyxel NAS Devices in Europe for DDoS Attacks
- US Charges Duo Behind Anonymous Sudan for 35,000 DDoS Attacks
Related news
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass. The vulnerability is rooted in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which could allow an attacker to log in as an arbitrary user within the vulnerable system. It was addressed by the maintainers last week. The
A years-old high-severity flaw impacting AVTECH IP cameras has been weaponized by malicious actors as a zero-day to rope them into a botnet. CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a "command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE)," Akamai researchers Kyle
A years-old high-severity flaw impacting AVTECH IP cameras has been weaponized by malicious actors as a zero-day to rope them into a botnet. CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a "command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE)," Akamai researchers Kyle
This Metasploit module exploits CVE-2024-27348, a remote code execution vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve remote code execution through Gremlin, resulting in complete control over the server.
Threat actors are actively exploiting a recently disclosed critical security flaw impacting Apache HugeGraph-Server that could lead to remote code execution attacks. Tracked as CVE-2024-27348 (CVSS score: 9.8), the vulnerability impacts all versions of the software before 1.3.0. It has been described as a remote command execution flaw in the Gremlin graph traversal language API. "Users are
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.
The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software version 4.0.4.0 could allow an authenticated local user to gain a privilege escalation by sending a crafted CREATE message.
Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted
Categories: Exploits and vulnerabilities Categories: News Zyxel has released a security advisory about two critical vulnerabilities that could allow an unauthorized, remote attacker to take control of its firewall devices. (Read more...) The post Zyxel patches two critical vulnerabilities appeared first on Malwarebytes Labs.
Threat actors are actively exploiting an unpatched five-year-old flaw impacting TBK digital video recording (DVR) devices, according to an advisory issued by Fortinet FortiGuard Labs. The vulnerability in question is CVE-2018-9995 (CVSS score: 9.8), a critical authentication bypass issue that could be exploited by remote actors to gain elevated permissions. "The 5-year-old vulnerability (
By Deeba Ahmed HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. This is a post from HackRead.com Read the original post: Threat Actors Using Go-based HinataBot to launch DDoS Attacks
By Deeba Ahmed HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. This is a post from HackRead.com Read the original post: Threat Actors Using Go-based HinataBot to launch DDoS Attacks
A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. "The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as 'Hinata--,'" Akamai said in a
A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. "The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as 'Hinata--,'" Akamai said in a
By Deeba Ahmed Most devices infected by Chaos malware are located in Europe, particularly Italy but infections were also observed in Asia Pacific, South America, and North America. This is a post from HackRead.com Read the original post: New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices
By Deeba Ahmed Most devices infected by Chaos malware are located in Europe, particularly Italy but infections were also observed in Asia Pacific, South America, and North America. This is a post from HackRead.com Read the original post: New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices
The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.
The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.
A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. "Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through
A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. "Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through
Zyxel has released patches to address four security flaws affecting its firewall, AP Controller, and AP products to execute arbitrary operating system commands and steal select information. The list of security vulnerabilities is as follows - CVE-2022-0734 - A cross-site scripting (XSS) vulnerability in some firewall versions that could be exploited to access information stored in the user's
Image source: z3r00t The U.S. Cybersecurity and Infrastructure Security Agency on Monday added two security flaws, including the recently disclosed remote code execution bug affecting Zyxel firewalls, to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. Tracked as CVE-2022-30525, the vulnerability is rated 9.8 for severity and relates to a command injection flaw
Just one day after disclosure, cyberattackers are actively going after the command-injection/code-execution vulnerability in Zyxel's gear.
This Metasploit module exploits CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. By sending a malicious setWanPortSt command containing an mtu field with a crafted OS command to the /ztp/cgi-bin/handler page, an attacker can gain remote command execution as the nobody user. Affected Zyxel models are USG FLEX 50, 50W, 100W, 200, 500, 700 using firmware 5.21 and below, USG20-VPN and USG20W-VPN using firmware 5.21 and below, and ATP 100, 200, 500, 700, 800 using firmware 5.21 and below.
Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution. "A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device," the company said in an advisory
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request, as exploited in the wild through 2023.