A new DDoS campaign linked to a threat actor identified as Matrix has been detected, capitalizing on security weaknesses in Internet of Things (IoT) devices. This campaign is notable for its widespread approach, leveraging these vulnerabilities to build a disruptive botnet.
According to Assaf Morag, director of threat intelligence at Aqua, this campaign represents a one-stop solution where attackers can scan for vulnerabilities, exploit them, deploy malware, and organize operational kits. This approach highlights a troubling “do-it-yourself” method of executing cyberattacks.
The attacks are primarily attributed to a lone attacker, often characterized as a script kiddie with ties to Russia. Targets have predominantly included IP addresses within China and Japan, along with lesser attacks aimed at countries such as Argentina, Australia, Brazil, Egypt, India, and the United States.
The absence of Ukraine among the targeted regions suggests that financial gain is the principal motive behind these attacks, according to Aqua. Security experts indicate that these campaigns exploit known vulnerabilities along with default or weak credentials to access a variety of internet-connected devices, including IP cameras, DVRs, routers, and telecommunications equipment.
Additionally, the Matrix operator has been noted to utilize misconfigured Telnet, SSH, and Hadoop servers. Attacks are frequently directed at the IP ranges of major cloud service providers, including Amazon Web Services, Microsoft Azure, and Google Cloud.
The campaign further relies on a collection of publicly accessible scripts and tools from platforms such as GitHub. Among the malware deployed is the notorious Mirai botnet, along with various DDoS-related scripts. Examples include tools like PYbot and pynet, which facilitate HTTP/HTTPS flood attacks and even disable security applications on targeted systems.
This operation’s exploitable nature is emphasized by the fact that Matrix has established a GitHub account as of November 2023 to distribute artifacts used in the DDoS campaigns. The operation appears to be marketed as a DDoS-for-hire service through a Telegram bot named “Kraken Autobuy,” allowing customers to engage in attacks for cryptocurrency compensation.
Morag highlighted that while the sophistication of this campaign may be limited, the ease of access to tools combined with basic technical skills enables a wide array of individuals to conduct multi-faceted attacks against numerous vulnerabilities. This underscores the critical need for improving fundamental security practices, such as altering default credentials, securing administrative protocols, and ensuring timely firmware updates to mitigate risks from such opportunistic attacks.
This alarming trend in cyber threat activities coincides with findings from NSFOCUS which revealed another botnet named XorBot, compromising devices primarily from Intelbras and prominent brands like NETGEAR and TP-Link since November 2023. As both botnets evolve, they are increasingly offered as rental services, underscoring the growing market for DDoS capabilities.
As the number of compromised devices increases, these operators are progressively engaging in financially motivated activities, with newly adopted tactics involving code obfuscation and enhanced defensive measures that complicate detection efforts. In light of this, stakeholders must remain vigilant and proactive in fortifying their cybersecurity frameworks, particularly with respect to the MITRE ATT&CK Matrix, focusing on tactics such as initial access, exploitation of vulnerabilities, and establishing persistence to counter these emerging threats effectively.
