Recent findings from Qihoo 360’s Network Security Research Lab indicate that the Fodcha distributed denial-of-service (DDoS) botnet has re-emerged with enhanced capabilities. The updated botnet incorporates modifications to its communication protocol and has introduced the ability to demand cryptocurrency payments in exchange for ceasing attacks on specific targets.
Initially brought to attention in April 2022, Fodcha exploits existing vulnerabilities in Android and IoT devices and also leverages weak Telnet and SSH credentials to propagate. Since its introduction, Fodcha has developed into a formidable botnet, boasting over 60,000 active nodes and 40 command-and-control (C2) domains, allowing it to generate traffic exceeding 1 terabit per second.
The peak of Fodcha’s activities was observed on October 11, 2022, when it targeted nearly 1,400 devices in a single day. Notably, regions affected since mid-2022 include China, the United States, Singapore, Japan, Russia, Germany, France, the United Kingdom, Canada, and the Netherlands. Targets have ranged from healthcare organizations to law enforcement agencies and even prominent cloud service providers, some of which faced attacks surpassing 1 Tbps of traffic.
The botnet’s evolution has been accompanied by the introduction of new stealth features, including encrypted communication with its C2 servers and embedded ransom demands. The research indicates that Fodcha utilizes attack code derived from the widely known Mirai botnet and supports a total of 17 different attack methods.
In addition, research from Lumen Black Lotus Labs has highlighted a concerning trend of increased exploitation of the Connectionless Lightweight Directory Access Protocol (CLDAP) to amplify the severity of DDoS attacks. Currently, over 12,000 open CLDAP reflectors have been identified, primarily across the U.S. and Brazil, with additional presence in Germany, India, and Mexico. In an instance involving an unnamed retail business in North America, the CLDAP service has been noted to direct excessive traffic towards various targets for an extended period, producing up to 7.8 Gbps.
This warning aligns with a joint advisory issued by U.S. government agencies aimed at guiding organizations in implementing proactive measures to defend against DDoS attacks. To mitigate risks, businesses are encouraged to identify critical assets, enhance their understanding of user connections, and invest in DDoS protection services while developing comprehensive response strategies and continuity plans.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) emphasizes the vulnerabilities posed by internet-connected IoT devices, which often operate with default passwords and lack robust security measures. These qualities render them susceptible to exploitation, enabling attackers to assemble vast networks of compromised devices capable of executing high-volume attacks.
In conclusion, the resurgence of the Fodcha DDoS botnet and the corresponding increase in threatening tactics necessitate a renewed focus on cybersecurity resilience for organizations across various sectors. Through awareness and preparedness, business owners can better safeguard their environments against such evolving threats.
