Russian Script Kiddie Assembles Massive DDoS Botnet

A Russian script kiddie using little more than publicly available malware tools and exploits targeting weak credentials and configurations has assembled a distributed denial-of-service (DDoS) botnet capable of disruption on a global scale.

In assembling the botnet, the attacker has targeted not just vulnerable Internet-of-Things (IoT) devices, as is the common practice these days, but also enterprise development and production servers, significantly increasing its potential for widespread disruption.

Matrix Unleashed

The attacker, whom researchers at Aqua Nautilus are tracking as "Matrix" after spotting the campaign recently, has established a store of sorts on Telegram, where customers can buy different DDoS plans and services. These include plans ranging from "Basic" to "Enterprise" that allow purchasers to unleash DDoS attacks of different durations at the transport and applications layers of targets of their choice.

"Although this campaign does not use advanced techniques, it capitalizes on widespread security gaps across a range of devices and software," said Assaf Morag, lead data analyst at Aqua in a blog post this week. "The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one."

DDoS attacks have been a standard item in attacker playbooks for a long time. Though organizations have generally gotten better at dealing with them over the years, DDoS attacks remain hard to protect against entirely. Threat actors have continuously increased the volume and duration of DDoS attacks while developing techniques to target different layers of the network to maximize their disruptive impact. A Gcore study released earlier this year showed a 46% increase in DDoS attacks in the first half of 2024 compared with the same period last year. Some attacks peaked in excess of multiple terabits of attack traffic per second.

Matrix's campaign appears to have launched in November 2023 with the creation of a GitHub account. The attacker has been using the account primarily as a repository for various publicly available malware tools downloaded from different sources and which, in some cases, Matrix then modified for use in the DDoS campaign.

Off-the-Shelf Attack Tools

Aqua's analysis of Matrix's GitHub account showed a collection of commonly available DDoS botnet tools, including perennial favorite Mirai, DDoS agent, Pybot, Pynet, SSH Scan Hacktool, and Discord Go. Most of these tools are publicly available and open source; what distinguishes Matrix is how it's been able to integrate and use these tools effectively in assembling a DDoS botnet. "Instead of forking repositories, the tools are downloaded and modified locally, suggesting a level of customization and adaptability," Morag said.

Matrix has been using the tools to scan the Internet for IoT devices with known vulnerabilities in them that the owners have left unpatched. Many of the vulnerabilities that the threat actor's attack scripts scan for are older flaws, including one from 2014 (CVE-2014-8361) a remote code execution (RCE) vulnerability in Realtek Software Development Kit.

Aqua listed vulnerabilities the attacker is targeting, including three from 2017 (CVE-2017-17215, CVE-2017-18368, and CVE-2017-17106); another three targeted vulnerabilities are from 2018 (CVE-2018-10561, CVE-2018-10562, and CVE-2018-9995). The vulnerabilities affect a range of Internet-connected devices including network routers, DVRs, cameras, and telecom equipment.

And in something of a departure from typical DDoS campaigns, the threat actor is scanning the IP ranges of several cloud service providers for vulnerabilities and misconfigurations in telnet, SSH, Hadoop YARN, and other enterprise servers. One of the vulnerabilities that Matrix has targeted is CVE-2024-27348, a critical RCE vulnerability in Apache HugeGraph servers. Nearly half (48%) the scanning activity that Aqua observed targeted servers in AWS environments, 34% were in Microsoft Azure, and 16% on Google's cloud platform. For the moment at least, Matrix's primary focus appears to be China and Japan, likely due to the high density of IoT devices in those countries, Morag said.

Brute-Force Attacks

As is common in most such campaigns, Matrix has also been taking advantage of default and weak passwords and misconfigurations to compromise IoT devices and enterprise servers and making them part of the DDoS botnet. Aqua found Matrix using a brute-force script against 167 username and password pairs that organizations had used to secure access to their IoT and server environments. A startling 134 of the pairs granted root or admin level access on affected devices.

Aqua's analysis showed there are 35 million systems running the software that the attacker appears to be targeting. Not all of them are vulnerable. But if even if just 1% are exploitable, that would give the attacker a botnet of around 350,000 devices.

In comments to Dark Reading, Morag says only content delivery networks and organizations with visibility into Internet traffic logs can really say what the actual size of the botnet that Matrix has assembled. But indications are that it is large. "We have hundreds of honeypots, and we usually see an attack/campaign on one or two types of honeypots. But in this case, we saw attacks on our SSH, Telnet, Jupytar Lab, Jupytar Notebook, Hadoop, HugeGraph, and a few simulators of IoT devices," which is unusual, he says. "In addition, the attacker utilized some of our honeypots to attack Telnet and SSH, with a 95% success rate."