### #IoTExploitation #DDoSForHire #BotnetOperations
Summary: The threat actor known as Matrix is conducting a widespread DDoS campaign by exploiting vulnerabilities in IoT devices, showcasing a DIY approach to cyberattacks. This operation highlights the accessibility of tools for executing multi-faceted attacks driven by financial motivations.
Threat Actor: Matrix | Matrix
Victim: Various IP addresses | IP addresses
Key Point :
- Matrix utilizes known security flaws and weak credentials to access a wide range of internet-connected devices.
- The campaign is characterized by the deployment of the Mirai botnet and other DDoS-related malware using publicly available scripts from GitHub.
- Advertising as a DDoS-for-hire service through a Telegram bot, Matrix allows customers to conduct attacks in exchange for cryptocurrency.
- The operation emphasizes the need for improved security practices, such as changing default credentials and applying timely firmware updates.
- Another botnet, XorBot, has been identified targeting specific camera and router brands, further complicating the threat landscape.
A threat actor named Matrix has been linked to a widespread distributed denial-of-service (DoD) campaign that leverages vulnerabilities and misconfigurations in Internet of Things (IoT) devices to co-opt them into a disruptive botnet.
“This operation serves as a comprehensive one-stop shop for scanning, exploiting vulnerabilities, deploying malware, and setting up shop kits, showcasing a do-it-all-yourself approach to cyberattacks,” Assaf Morag, director of threat intelligence at cloud security firm Aqua, said.
There is evidence to suggest that the operation is the work of a lone wolf actor, a script kiddie of Russian origin. The attacks have primarily targeted IP addresses located in China, Japan, and to a lesser extent Argentina, Australia, Brazil, Egypt, India, and the U.S.
The absence of Ukraine in the victimology footprint indicates that the attackers are purely driven by financial motivations, the cloud security firm said.
The attack chains are characterized by the exploitation of known security flaws as well as default or weak credentials to obtain access to a broad spectrum of internet-connected devices such as IP cameras, DVRs, routers, and telecom equipment.
The threat actor has also been observed leveraging misconfigured Telnet, SSH, and Hadoop servers, with a particular focus on targeting IP address ranges associated with cloud service providers (CSPs) like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.
The malicious activity further relies on a wide array of publicly available scripts and tools available on GitHub, ultimately deploying the Mirai botnet malware and other DDoS-related programs on compromised devices and servers.
This includes PYbot, pynet, DiscordGo, Homo Network, a JavaScript program that implements an HTTP/HTTPS flood attack, and a tool that can disable the Microsoft Defender Antivirus app on Windows machines.
Matrix has also been found to use a GitHub account of their own that they opened in November 2023 to stage some of the DDoS artifacts used in the campaign.
It’s also believed that the whole offering is advertised as a DDoS-for-hire service via a Telegram bot named “Kraken Autobuy” that allows customers to choose from different tiers in exchange for a cryptocurrency payment to conduct the attacks.
“This campaign, while not highly sophisticated, demonstrates how accessible tools and basic technical knowledge can enable individuals to execute a broad, multi-faceted attack on numerous vulnerabilities and misconfigurations in network-connected devices,” Morag said.
“The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one.”
The disclosure comes as NSFOCUS sheds light on an evasive botnet family dubbed XorBot that has been primarily targeting Intelbras cameras and routers from NETGEAR, TP-Link, and D-Link since November 2023.
“As the number of devices controlled by this botnet increases, the operators behind it have also begun to actively engage in profitable operations, openly advertising DDoS attack rental services,” the cybersecurity company said, adding the botnet is advertised under the moniker Masjesu.
“At the same time, by adopting advanced technical means such as inserting redundant code and obfuscating sample signatures, they have improved the defensive capabilities at the file level, making their attack behavior more difficult to monitor and identify.”
Source: https://thehackernews.com/2024/11/matrix-botnet-exploits-iot-devices-in.html