Matrix Botnet Exploits IoT Devices In Widespread DDoS Campaign
Overview
A threat actor known as Matrix has been linked to a widespread distributed denial of service (DDoS) attack campaign that leverages vulnerabilities and misconfigurations in Internet of Things (IoT) devices to turn them into disruptive botnets.
Campaign Details
Methodology: The campaign is a comprehensive “one-stop shop” for scanning, exploiting, deploying malware, and building attack toolkits. This represents a do-it-yourself approach to cyberattacks.
Origin and Targets: There is evidence that the campaign is the work of a single actor, possibly a “script kiddie” of Russian origin. The attacks primarily target IP addresses in China, Japan, and to a lesser extent Argentina, Australia, Brazil, Egypt, India, and the United States. The absence of Ukraine from the victim list suggests a financial motive.
Attack Methods: The attack chains were characterized by exploiting known security vulnerabilities as well as default or weak credentials to gain access to a wide range of internet-connected devices such as IP cameras, DVRs, routers, and telecommunications equipment.
Tools and Techniques: The threat actor leveraged misconfigured Telnet, SSH, and Hadoop servers, with a particular focus on IP address ranges associated with cloud service providers such as AWS, Microsoft Azure, and Google Cloud. The malicious activity relied on a range of publicly available scripts and tools on GitHub, ultimately deploying the Mirai botnet malware and other DDoS-related programs onto compromised devices and servers.
Tools and Services
Tools used: These included PYbot, pynet, DiscordGo, Homo Network (a JavaScript program that performs HTTP/HTTPS flood attacks), and a tool that can disable Microsoft Defender Antivirus on Windows machines.
DDoS-for-hire service: This campaign is advertised as a DDoS-for-hire service through a Telegram bot called “Kraken Autobuy,” which allows customers to choose from different packages to carry out attacks in exchange for payment in cryptocurrency.
Security Recommendations
- Basic Security Practices: This campaign, while not overly complex, demonstrates how easily accessible tools and basic technical knowledge can allow individuals to launch a multi-faceted attack on multiple vulnerabilities and misconfigurations in network-connected devices. This highlights the importance of addressing basic security practices such as changing default credentials, securing administrative protocols, and timely firmware updates to protect against widespread opportunistic attacks like this.
