A threat actor named Matrix has been linked to a widespread distributed denial-of-service (DoD) campaign that leverages vulnerabilities and misconfigurations in Internet of Things (IoT) devices to co-opt them into a disruptive botnet.
“This operation serves as a comprehensive one-stop shop for scanning, exploiting vulnerabilities, deploying malware, and setting up shop kits, showcasing a do-it-all-yourself approach to cyberattacks,” Assaf Morag, director of threat intelligence at cloud security firm Aqua, said.
There is evidence to suggest that the operation is the work of a lone wolf actor, a script kiddie of Russian origin. The attacks have primarily targeted IP addresses located in China, Japan, and to a lesser extent Argentina, Australia, Brazil, Egypt, India, and the U.S.
The absence of Ukraine in the victimology footprint indicates that the attackers are purely driven by financial motivations, the cloud security firm said.
The attack chains are characterized by the exploitation of known security flaws as well as default or weak credentials to obtain access to a broad spectrum of internet-connected devices such as IP cameras, DVRs, routers, and telecom equipment.
The threat actor has also been observed leveraging misconfigured Telnet, SSH, and Hadoop servers, with a particular focus on targeting IP address ranges associated with cloud service providers (CSPs) like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.
The malicious activity further relies on a wide array of publicly available scripts and tools available on GitHub, ultimately deploying the Mirai botnet malware and other DDoS-related programs on compromised devices and servers.
This includes PYbot, pynet, DiscordGo, Homo Network, a JavaScript program that implements an HTTP/HTTPS flood attack, and a tool that can disable the Microsoft Defender Antivirus app on Windows machines.
Matrix has also been found to use a GitHub account of their own that they opened in November 2023 to stage some of the DDoS artifacts used in the campaign.
It’s also believed that the whole offering is advertised as a DDoS-for-hire service via a Telegram bot named “Kraken Autobuy” that allows customers to choose from different tiers in exchange for a cryptocurrency payment to conduct the attacks.
“This campaign, while not highly sophisticated, demonstrates how accessible tools and basic technical knowledge can enable individuals to execute a broad, multi-faceted attack on numerous vulnerabilities and misconfigurations in network-connected devices,” Morag said.
“The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one.”
The disclosure comes as NSFOCUS sheds light on an evasive botnet family dubbed XorBot that has been primarily targeting Intelbras cameras and routers from NETGEAR, TP-Link, and D-Link since November 2023.
“As the number of devices controlled by this botnet increases, the operators behind it have also begun to actively engage in profitable operations, openly advertising DDoS attack rental services,” the cybersecurity company said, adding the botnet is advertised under the moniker Masjesu.
“At the same time, by adopting advanced technical means such as inserting redundant code and obfuscating sample signatures, they have improved the defensive capabilities at the file level, making their attack behavior more difficult to monitor and identify.”
