In mid-November, the online outfit PinoyMedia Center was flooded then in the first half of December the same fate befell the news portal ABC-CBN News, followed by the media organization VERA Files the digital media company Rappler was also attacked several times a month by unknown actors. In particular, Mirai, Muhstik and Elknot bots are trying to exploit this vulnerability.Īs for DDoS attacks themselves, media in the Philippines came under repeated fire during the past quarter. Not surprisingly, many cybercriminals, including DDoS botnet developers, have added Log4Shell to their toolkit. What’s more, an exploit for the vulnerability is available online, and the library that contains it is used in millions of products, both commercial and open-source. Log4Shell, as the vulnerability is called, is present in all versions of Log4j from 2.0-beta9 to 2.14.1, and allows an attacker to take full control over a vulnerable system. In late 2021, news broke of a vulnerability in the Apache Log4j library, which laid claim to being the most dangerous vulnerability of the year. Moreover, according to Netscout, Dvinis accounts for 75% of all attacks attributed to Mēris. Unlike its elder brother, it does not use HTTP pipelining, but is also deployed in high-power attacks. The company named the second one Dvinis (“twin” in Latvian). The Mēris botnet discovered last quarter turned out to be two botnets, reports Netscout. The channel was created in June and went live in August 2021. ![]() Researchers link the campaign to a DDoS-as-a-Service provider whose Telegram channel they came across during their analysis. Once on the device, Moobot waits for a command from the C2 server before launching a DDoS attack. ![]() Like CVE-2017-6079, this vulnerability allows attackers to execute arbitrary commands. A bug designated as CVE-2021-36260 was found in some Hikvision camera models and patched in September 2021. For instance, Moobot added a relatively fresh vulnerability to its arsenal. Known botnets made the news more than once in Q4. However, around the same time, Cloudflare reported a brief but powerful Mirai-type attack, involving, among other things, GitLab servers infected through CVE-2021-22205. Menscher does not specify whether the bot is entirely new or related to existing botnets. The botnet hijacked new devices by exploiting the CVE-2021-22205 vulnerability, which GitLab patched in April 2021, and carried out DDoS attacks of over 1TB/s. Google’s Damian Menscher discovered a zombie network consisting of vulnerable GitLab servers. They also speculate that the short attack duration is because the attackers wish to remain undetected, so they do not borrow infected device users’ communication channels for long. Researchers note that the botnet is new, and they currently lack sufficient data to describe it. The attacks, launched from thousands of cameras and routers, lasted 2–3 minutes and then stopped. In some cases, DNS amplification was also used. The attackers used a TCP data flood: they established a TCP connection to the victim’s server, then flooded it with random heavy TCP packets. In November, Qrator Labs recorded a series of short but powerful attacks on its systems and those of its clients. ![]() AT&T is investigating attacks on EdgeMarc devices. However, the cybercriminals later severed communication with this server. ![]() By exploiting a bug in the bot itself (one of the first versions accessed a non-existent C2 server registered by researchers), Netlab 360 managed to detect 5,700 infected devices. The bot infiltrated the devices through the CVE-2017-6079 vulnerability, which allows execution of arbitrary commands. This zombie network consists solely of EdgeMarc Enterprise Session Border Controller devices located on AT&T carrier networks. The EwDoor botnet, which first came to researchers’ attention in late October, turned out to be more picky than Abcbot. This is further evidence that the same botnets are often used for mining and DDoS. Then in December, researchers at Cado Security linked the botnet to the Xanthe cryptojacking group. In October, the botnet was upgraded with DDoS functionality. A zombie network, named Abcbot by researchers, first hit the radar in July, but at the time it was little more than a simple scanner attacking Linux systems by brute-forcing weak passwords and exploiting known vulnerabilities. Q4 2021 saw the appearance of several new DDoS botnets.
0 Comments
Leave a Reply. |