A globally disruptive distributed denial-of-service (DDoS) botnet has emerged, orchestrated by a Russian script kiddie using publicly available malware tools and exploits to target weak credentials and configurations across a wide range of devices and servers. This attacker, known as “Matrix” by researchers at Aqua Nautilus, has taken a different approach by not only focusing on vulnerable Internet-of-Things (IoT) devices but also targeting enterprise development and production servers, exponentially increasing the potential for widespread disruptions.
Matrix has set up a “store” on Telegram where customers can purchase various DDoS plans and services, ranging from “Basic” to “Enterprise,” enabling them to launch DDoS attacks of varying durations at different layers of the targets they select. Although Matrix’s campaign does not employ advanced techniques, it exploits common security gaps present in numerous devices and software systems. To defend against such opportunistic attacks, security professionals stress the importance of basic security measures like changing default credentials, securing administrative protocols, and regularly updating firmware.
DDoS attacks have long been a go-to weapon for threat actors, with their sophistication and impact evolving over time. Despite organizations enhancing their defenses, DDoS attacks remain a challenge to fully mitigate. Recent statistics indicate a 46% increase in DDoS attacks during the first half of 2024 compared to the same period in the previous year, with some attacks generating multiple terabits of malicious traffic per second.
Matrix’s campaign reportedly began in November 2023 when the attacker created a GitHub account to source publicly available malware tools, subsequently modifying them for use in the DDoS campaign. Aqua’s analysis of Matrix’s GitHub repository revealed a collection of well-known DDoS botnet tools such as Mirai, DDoS agent, Pybot, Pynet, SSH Scan Hacktool, and Discord Go. What sets Matrix apart is the skillful integration and customization of these tools, enabling efficient deployment in building a formidable DDoS botnet.
The attacker’s strategy involves scanning the internet for IoT devices with unpatched vulnerabilities, targeting known flaws dating back to as early as 2014. Additionally, enterprise servers are not spared, with Matrix exploring IP ranges of various cloud service providers for exploitable weaknesses in telnet, SSH, Hadoop YARN, and other servers. Notably, Matrix’s primary focus appears to be China and Japan due to the high concentration of vulnerable IoT devices in these regions.
Matrix leverages brute-force attacks against default or weak passwords to compromise IoT devices and enterprise servers, incorporating them into the expanding DDoS botnet. Aqua’s analysis estimates that there are approximately 35 million systems at risk, potentially leading to a botnet comprising 350,000 devices if just 1% of them are vulnerable. The actual size of Matrix’s botnet remains uncertain, with organizations with access to Internet traffic logs best positioned to provide accurate assessments.
In conclusion, Matrix’s innovative approach to assembling a powerful DDoS botnet poses a significant threat to global cybersecurity. The rapid evolution of attack techniques underscores the ongoing challenge for organizations to defend against malicious actors exploiting fundamental security weaknesses. Increased vigilance, timely patching, and adherence to best security practices are essential to mitigate the growing menace of disruptive DDoS attacks orchestrated by individuals like “Matrix.”