Tag Archive for: DDoS

A Stealthy Multi-Platform Malware Leveraging NKN for DDoS Attacks

/in


A recently discovered multi-platform malware named ‘NKAbuse,’ leveraging Go-based technology, has raised concerns as it marks the first instance of malware exploiting NKN (New Kind of Network) technology for data exchange. This innovative approach poses a stealthy threat, using NKN, a decentralized peer-to-peer network protocol built on blockchain technology, to conduct distributed denial of service (DDoS) attacks. This article explores the intricate details of NKAbuse, its modus operandi, and the challenges it poses to cybersecurity.

 

The NKN Technology Landscape:

NKN, a decentralized peer-to-peer network protocol, operates by leveraging blockchain technology to efficiently manage resources and establish a secure and transparent model for network operations. With the primary goal of optimizing data transmission speed and latency across the network, NKN achieves this by calculating efficient data packet travel paths. Individuals can participate in the NKN network by running nodes, contributing to its robustness, decentralization, and capacity to handle high volumes of data.

NKAbuse: Targeting Linux Systems in Specific Regions:

Kaspersky reports the discovery of NKAbuse, a novel malware that primarily targets Linux desktops, with notable infection instances identified in Mexico, Colombia, and Vietnam. The malware exploits an old Apache Struts flaw (CVE-2017-5638) to compromise Linux systems, demonstrating its adaptability by supporting multiple architectures, including MIPS, ARM, and 386.

 

NKN Exploitation for DDoS Attacks:

NKAbuse stands out by abusing NKN to launch DDoS attacks, characterized by their difficulty to trace and likelihood of evading detection by conventional security tools. The malware utilizes the NKN public blockchain protocol to execute flooding attacks and establish a backdoor within Linux systems. Its communication with the bot master through NKN allows it to send and receive data, while the ability to maintain multiple concurrent channels adds resilience to its communication line.

 

Versatile Capabilities: A Unique Threat in the DDoS Botnet Space:

Beyond its DDoS capabilities, NKAbuse functions as a remote access trojan (RAT) on compromised…

Source…

Mirai Botnet Exploits Zero-Day Bugs For DDoS Attacks

/in


InfectedSlurs, a Mirai botnet malware, has been exploiting two zero-day remote code execution (RCE) vulnerabilities. The malware targets routers and video recorders (NVR) devices, aiming to make them a part of its distributed denial of service (DDoS) swarm. Although the botnet was discovered in October 2023, it is believed that its initial activities date back to the latter half of 2022. In this blog, we’ll dive into how the botnet was discovered, how it functions, and more.

 

Mirai Botnet Detection Details


The botnet was discovered when Akamai’s Security Intelligence Response Team (SIRT) noticed malicious activity pertaining to the company’s honeypots. As of now, it is believed malicious activity was initiated to target a rarely used TCP port. The SIRT teams noticed fluctuations with regard to the frequency of the zero-day exploits

An analysis of the zero-day vulnerabilities, published by Akamai, reads, “The activity started out with a small burst, peaking at 20 attempts per day, and then thinned out to an average of two to three per day, with some days completely devoid of attempts.” It’s worth mentioning that vulnerable devices that fell prey to the botnet were unknown until November 9, 2023. 

Initially the probes were low-frequency and attempted authentication using a POST request. Upon acquiring the access, the botnet attempted a command injection exploitation. Researchers have also determined that the botnet used default admin credentials for installing Mirai variants. 

Upon further observation, it was identified that the wireless LAN routers, built for hotels and residential purposes, were also being targeted by the Mirai botnet. Commenting on the RCE flaw being exploited for unauthorized access, Akamai stated: “The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild.” 


InfectedSlurs, JenX, and hailBot


The InfectedSlurs botnet is suspected to be knitted with other cybersecurity threats such as  JenX and hailBot. The botnet gets its name from the use of racial and offensive language in the command-and-control (C2)…

Source…

Novel Mirai-based DDoS botnet exploits 0-days to infect routers and security cameras

/in


Threat actors are exploiting previously unknown bugs in certain routers and network video recorder (NVR) devices to build a Mirai-based distributed denial-of-service (DDoS) botnet, dubbed InfectedSlurs.

The newly discovered zero-day remote code execution vulnerabilities can be exploited if the device manufacturers’ default admin credentials have not been changed – a security measure users very often fail to take.

In a post this week, researchers at Akamai’s security intelligence response team (SIRT) said they discovered the botnet through their global honeypots last month and identified it was targeting network video recorder (NVR) devises from a specific manufacturer.

“The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild,” the researchers wrote.

Further investigation revealed a second device from a different manufacturer – a wireless LAN router designed for hotels and residential use – was also being targeted by the threat actors behind the botnet.

The researchers said they alerted the manufacturers to the respective vulnerabilities and were told by both that they expected to release patches for the affected devices next month. Until that occurred, Akamai would not identify the manufacturers.

“There is a thin line between responsible disclosing information to help defenders, and oversharing information that can enable further abuse by hordes of threat actors,” the researchers said.

In the case of the router the threat group was targeting, it was manufactured by a Japanese vendor that produced multiple switches and routers. Japan’s Computer Emergency Response Team (JPCERT) had confirmed the exploit, but Akamai did not know if more than one model in the company’s catalog was affected.

“The feature being exploited is a very common one, and it’s possible there is code reuse across product line offerings,” the researchers said.

Akamai labelled the botnet “InfectedSlurs” after the researchers discovered racial epithets and offensive language within the naming conventions used for the command-and-control domains associated with…

Source…

NSFOCUS reveals alarming surge in DDoS attacks in 2022 report

/in


NSFOCUS, has published its 2022 Global DDoS Attack Landscape Report. The report contains in-depth findings to aid organisations and users in defending against DDoS attacks.

The report reveals that the DDoS attack landscape is becoming increasingly difficult to navigate. The number of DDoS attacks has notably surged in 2022, with the frequency of terabit-level attacks increasing to approximately 40. Attacks greater than 100 Gbps also reached record levels, with such scale of attack being reported on an hourly basis. The research analysis shows that the incidence of recurring IP address attacks in 2022 was significantly higher than in 2021, meaning that once identified as a target, a victim is likely to experience repeated DDoS attacks. This continually evolving threat landscape poses fresh obstacles to DDoS protection.

According to the report, UDP-based DDoS attacks were the most prevalent tactic used by cybercriminals, accounting for about 60% of total DDoS threat incidents in 2022. Quite alarmingly, virtually all terabit-level DDoS attacks were found to be UDP-based, including two-thirds of non-reflective UDP attacks. These findings signal that contemporary threat actors have at their disposal an incredibly rich pool of attack resources and can initiate terabit attacks without needing UDP reflection to boost traffic. The rapidly reoccurring colossal DDoS attack trend is now surpassing the capability of on-premises solutions across industries.

The report also draws attention to the growing menace of application-layer DDoS attacks. These attacks are more challenging to identify and shield against as they establish reliable TCP connections, making the attack source IP addresses unforgeable. The report warns that if a large number of application-layer attack source IP addresses remain active in a particular region, it is a significant indication that botnets are operating there.

As has been the case in previous annual DDoS attack landscape reports, NSFOCUS continuously monitors the activity of botnet families. The 2022 report identifies Mirai as the most threatening botnet, accounting for over half of all botnet activities and having the greatest number of…

Source…