Researchers have noted a recent uptick in activity related to the Mirai distributed denial-of-service (DDoS) botnet variant known as CatDDoS. The attacks have been aimed at various organizations spanning different industries, including cloud vendors, communication providers, construction companies, scientific and research institutions, as well as educational establishments in countries such as the US, France, Germany, Brazil, and China.
First appearing in August and gaining notoriety in September 2023, CatDDoS seemingly disappeared in December, leading experts at China’s QiAnXin XLab to speculate that the operators behind the malware had ceased their activities. However, a recent report from QiAnXin reveals that multiple groups have been utilizing different variants of CatDDoS in the past three months. These variants, which go by various aliases such as RebirthLTD, Komaru, and Cecilio Network, have exploited over 80 vulnerabilities in their latest campaign.
According to QiAnXin’s findings, the CatDDoS-related groups have continued to target a large number of victims on a daily basis, exceeding 300 per day. The vulnerabilities exploited by these threat actors encompass a wide range of products and technologies, including Apache ActiveMQ Servers, Apache Log4j, Cisco Linksys, Jenkins servers, and NetGear routers.
Some of these vulnerabilities are relatively recent, having been disclosed within the past year. However, there are also older vulnerabilities being leveraged by CatDDoS operators, such as CVE-2010-2506, a 14-year-old flaw in Linksys firmware, CVE-2013-1599, a decade-old vulnerability in D-Link IP cameras, and CVE-2011-5010, a remote code execution flaw in Ctek SkySouters from 2011.
Furthermore, QiAnXin highlighted the presence of potential zero-day vulnerabilities in the CatDDoS samples, citing parameters like ‘skylab0day’ and ‘Cacti-n0day’ found in the running of the samples. These findings suggest that the threat actors behind CatDDoS are continuously evolving their tactics to evade detection.
Despite the varied names given to the different CatDDoS variants, QiAnXin concluded that they share commonalities in code structure, communication methods, and encryption techniques. As a result, the security vendor has grouped these variants under the umbrella term “CatDDoS-related gangs,” underscoring the interconnected nature of these threat actors.
DDoS attacks continue to pose a significant threat to organizations globally, with threat actors constantly refining their strategies to bypass existing defenses. A recent report by Nexusguard revealed that attackers have shifted their focus towards individual computers and servers, targeting them in 92% of DDoS attempts observed last year, a substantial increase from previous years. This shift has been attributed to vulnerabilities in Windows systems and the availability of malware that facilitates attacks on these systems.
While the overall volume of DDoS attacks decreased in 2023, individual attack sizes surged by 233%, indicating a trend towards more damaging and impactful attacks. Attackers have continued to utilize techniques like NTP amplification to boost traffic during attacks, along with DNS amplification and HTTPS flooding methods to amplify the impact of their assaults.
In conclusion, the evolving landscape of DDoS attacks underscores the importance of proactive cybersecurity measures to safeguard against increasingly sophisticated threats like CatDDoS. Organizations need to remain vigilant and constantly update their defenses to mitigate the risks posed by these malicious actors.