While the notorious Meris DDoS botnet made headlines in 2021 with its record-breaking attacks, the emergence of newer threats in 2023 shows that cybercriminal tactics keep evolving.
The cyber threat landscape constantly evolves, whether exploiting Zyxel’s CVE-2023-28771 or targeting MySQL servers like Ddostf and Mirai’s IZ1H9 variant.
Making things even more complicated, in September 2023, researchers spotted new DDoS botnets linked to the Mirai source code. Three of these, hailBot, kiraiBot, and catDDoS, have become prominent, showing increased activity, and spreading faster.
If you’re unfamiliar with DDoS botnets or how to stop them, keep reading to learn more.
A DDoS botnet is a network of hacked computers used to flood websites or servers with excessive traffic, causing them to crash and become inaccessible.
DDoS botnet malware is not always visible or has a direct/ immediate impact on the device. In some cases, the malware immediately hijacks or takes over the device, while in other cases it runs in the background, silently executing the attacker’s instructions.
DDoS (Distributed Denial-of-Service) Attacks are cyber-attacks wherein the threat actor seeks to make websites/ web applications/ networks/ infrastructure unavailable to legitimate users by saturating the services and causing downtimes/ crashes. DDoS attacks are of two kinds –
DDoS attacks can be orchestrated either by individuals engaging in coordinated activities or through botnets. The latter is known as a botnet DDoS attack.
Explore the case study on mitigating low-rate HTTP DDoS attacks driven by botnets using AppTrana WAAP
In June 2023, a surge in DDoS botnet activities was observed, capitalizing on the Zyxel vulnerability (CVE-2023-28771). This critical flaw, rated at 9.8 on the CVSS scoring system, serves as a gateway for DDoS attacks, with unauthorized attackers potentially executing arbitrary code through a command injection vulnerability in multiple firewall models.
The ‘Ddostf’ malware botnet has pivoted its focus towards MySQL servers, transforming them into DDoS platforms for cybercriminals. Exploiting vulnerabilities in unpatched MySQL environments, the botnet utilizes brute-force techniques and user-defined functions (UDFs) to execute malicious commands. This strategic move allows the Ddostf botnet to establish persistence on Windows systems, evading takedowns by connecting to new command and control (C2) addresses.
Through its IZ1H9 variant, the Mirai botnet has extended its reach by integrating 13 new exploit payloads, specifically targeting routers, IP cameras, and more. This expansion of functionalities amplifies the DDoS threat, exploiting vulnerabilities in devices from major manufacturers. The timeline spans 2015 to 2023, encompassing various vulnerabilities and focusing on command execution flaws.
A new threat, OracleIV, has emerged, targeting publicly accessible Docker Engine API instances with a unique approach. Researchers from Cado unveiled a campaign exploiting misconfigurations, effectively turning machines into a distributed denial-of-service (DDoS) botnet. Leveraging an HTTP POST request to Docker’s API, attackers fetch a malicious image, ‘oracleiv_latest,’ disguising itself as a MySQL container. Despite including a miner, the container reveals a concise shell script (oracle.sh) designed for conducting DDoS attacks.
FortiGuard Labs has identified recent samples of the Condi DDoS-as-a-service botnet, exploiting the vulnerability (CVE-2023-1389) in TP-Link Archer AX21 (AX1800) routers. This discovery highlights an active attempt to spread, emphasizing the persistent risk associated with unpatched systems in the face of DDoS threats.
Take a closer look at 10 best practices for botnet detection and removal.
Like any cyber-attack, botnet DDoS attacks are costly and must be prevented proactively. With the help of intelligent and comprehensive cloud-based DDoS protection solutions from AppTrana WAAP you can effectively prevent DDoS botnet attacks without having to install any hardware or software.
This fully managed solution is capable of nuanced intrusion detection, traffic monitoring and filtering, and instant bot blocking based on global threat intelligence, real-time insights, and security analytics.
Being a managed security solution AppTrana WAAP ensures that the solution is highly tailored to the unique needs of the organization. Its WAF rules are built with surgical accuracy to prevent a wide range of DDoS botnets and other attacks by default.
With AppTrana DDoS protection, you can be rest assured that your website/ application/ service is always available to your legitimate users.
This post was last modified on February 13, 2024 16:41
File inclusion refers to including external files within a web application. These files can be… Read More
The Open Systems Interconnection (OSI) model is a conceptual framework for understanding and standardizing how… Read More
What is Gray Box Pen Testing? Gray box penetration testing is an application security testing… Read More