Surge in DDoS Attacks Linked to Variants of Mirai Botnet
Recent investigations reveal that distinct offshoots of the notorious Mirai botnet are driving a new wave of distributed denial-of-service (DDoS) attacks around the globe. One variant is taking advantage of specific vulnerabilities in Internet of Things (IoT) devices to construct extensive botnet networks, while another has been persistently targeting organizations across North America, Europe, and Asia since late 2024.
Qualys researchers have reported ongoing operations involving a significant new botnet named "Murdoc_Botnet," which began its activities in July. This botnet, characterized by more than 1,300 active IPs, specifically targets Avtech cameras and Huawei HG532 routers. In their recent analysis, the team identified over 100 unique server sets associated with the Murdoc botnet, each responsible for monitoring bot activity and communicating with compromised devices.
Simultaneously, Trend Micro’s research highlights another botnet that exploits both Mirai and Bashlite malware variants to compromise IoT devices by leveraging security flaws and weak credentials. These attacks are prevalent worldwide, and they initiate infiltration through remote code execution vulnerabilities or through weak passwords, followed by the execution of malicious payload scripts on infected hosts.
The Mirai botnet, first introduced to the security landscape in 2016, continues to exhibit a pervasive influence, as evidenced by these two campaigns. Despite advanced cybersecurity measures in the past decade, the ramifications of Mirai’s leaked source code remain a significant threat to network security.
The Murdoc botnet relies on recognized vulnerabilities, specifically leveraging CVE-2024-7029 and CVE-2017-17215. The former allows command injection over the network affecting Avtech cameras, while the latter pertains to a remote code execution vulnerability found in certain Huawei routers. The majority of IP addresses tied to this attack originate from Malaysia, with additional instances noted in Thailand, Mexico, and Indonesia.
In parallel, an expansive DDoS campaign targeting organizations based in the United States has been detected. Initial findings from Trend Micro indicated large-scale DDoS attacks against Japanese entities but highlighted a broader global operation that has adversely impacted U.S. institutions, with other affected nations including Bahrain, Poland, and Spain. Key targets include well-known brands of wireless routers and IP cameras, with cybercriminals employing tactics that exploit both firmware vulnerabilities and weak access credentials.
In these attacks, two primary DDoS methods have been discerned: one that floods the network with an overwhelming number of packets and another that exhausts server resources by establishing numerous concurrent sessions. The latter presents a particularly complex challenge, as both methods can be executed simultaneously when employing multiple command combinations.
With the ongoing emergence of Mirai variants, the imperative for organizations to fortify their defenses against DDoS attacks intensifies. It is crucial for businesses to proficiently detect and mitigate unrelenting streams of malicious traffic. Qualys emphasizes the need for diligent monitoring of unconventional processes, network traffic, and shell scripts from untrusted sources, while Trend Micro recommends tailored mitigation strategies specific to the type of DDoS attacks encountered.
Organizations can benefit from a proactive stance, utilizing firewalls and routers to block suspicious IPs, collaborating with service providers to filter attack traffic, and implementing real-time monitoring to detect unusual connection patterns. By acknowledging the tactics identified in the MITRE ATT&CK framework, business leaders can better understand the methods employed by adversaries and adapt their cybersecurity strategies accordingly.
