• Posted by: Michael Johnson
• November 28, 2024

Matrix Botnet Exploits IoT Vulnerabilities in Widespread DDoS Campaign

A threat actor known as Matrix has been linked to a large-scale distributed denial-of-service (DDoS) campaign targeting vulnerabilities and misconfigurations in Internet of Things (IoT) devices. These compromised devices are co-opted into a botnet, creating widespread disruption.

Attack Highlights

According to Assaf Morag, director of threat intelligence at cloud security firm Aqua:

“This operation serves as a comprehensive one-stop shop for scanning, exploiting vulnerabilities, deploying malware, and setting up shop kits, showcasing a do-it-all-yourself approach to cyberattacks.”

Key Observations:

1. The campaign appears to be operated by a lone actor, potentially a Russian script kiddie.
2. Victims are predominantly located in China, Japan, Argentina, Australia, Brazil, Egypt, India, and the U.S..
3. The absence of Ukraine among the targets suggests the attack is financially motivated rather than politically driven.

Attack Methods

The Matrix botnet exploits:

1. Known vulnerabilities and default/weak credentials in IoT devices, such as IP cameras, DVRs, and routers.
2. Misconfigured Telnet, SSH, and Hadoop servers, often targeting IP ranges associated with cloud service providers like AWS, Microsoft Azure, and Google Cloud.

The botnet leverages widely available scripts and tools from platforms like GitHub, deploying:

1. Mirai botnet malware and other DDoS-specific tools.
2. Programs like PYbot, pynet, DiscordGo, and Homo Network (an HTTP/HTTPS flood tool).
3. Tools to disable Microsoft Defender Antivirus on Windows devices.

Matrix's Activities

Matrix’s operations include maintaining a GitHub account (established in November 2023) to distribute DDoS artifacts. The botnet is also advertised as a DDoS-for-hire service via a Telegram bot called "Kraken Autobuy", offering attack tiers in exchange for cryptocurrency payments.

“This campaign, while not highly sophisticated, demonstrates how accessible tools and basic technical knowledge can enable individuals to execute broad, multi-faceted attacks,” said Morag.

Prevention Tips

To mitigate risks from campaigns like Matrix:

1. Change default credentials and enforce strong passwords.
2. Secure administrative protocols, such as Telnet and SSH.
3. Apply firmware updates to IoT devices regularly.

Related Developments

The disclosure coincides with findings about XorBot, a botnet targeting Intelbras cameras and routers from NETGEAR, TP-Link, and D-Link since November 2023. The botnet, marketed as Masjesu, uses techniques like code obfuscation and signature manipulation to evade detection while offering DDoS rental services.

These developments underline the growing accessibility of DDoS tools, reinforcing the need for fundamental security practices to prevent exploitation.