CISO2CISO Editor 2@ciso2ciso.com - 39d
Cloudflare successfully mitigated a record-breaking 5.6 Tbps Distributed Denial of Service (DDoS) attack on October 29, 2024. The attack, launched by a Mirai-variant botnet, targeted an internet service provider (ISP) in East Asia. The botnet comprised of 13,000 compromised IoT devices flooding the target with malicious data, which aimed to cripple the ISP’s operations.
The attack lasted only 80 seconds, but Cloudflare's autonomous defence systems promptly identified and mitigated the anomalous traffic without human intervention, intercepting and neutralizing the malicious data at Cloudflare's edge nodes. Each IP address within the botnet generated an average traffic of approximately 4 Gbps. The successful defense highlights the escalating sophistication and scale of DDoS threats, with hyper-volumetric attacks exceeding 1 Tbps dramatically increasing. This incident underscores the importance of robust DDoS mitigation strategies and the need for continuous evolution in network security.
Recommended read:
References :
- ciso2ciso.com: New Mirai Malware Variant Targets AVTECH Cameras, Huawei Routers – Source: www.infosecurity-magazine.com
- securityaffairs.com: New Mirai botnet variant Murdoc Botnet targets AVTECH IP cameras and Huawei HG532 routers
- The Hacker News: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers
- Techzine Global: Mirai variant Murdoc_Botnet targets cameras and routers
- ciso2ciso.com: New Mirai Malware Variant Targets AVTECH Cameras, Huawei Routers – Source: www.infosecurity-magazine.com
- discuss.privacyguides.net: New botnet network targets Avtech cameras and Hauwei HG532 routers
- hackread.com: New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits
- bsky.app: Interesting research from Qualys here where they found a botnet that’s infected vulnerable AVTECH cameras and Huawei routers.
- cyberpress.org: New IoT Botnet Launching large-scale DDoS attacks Hijacking IoT Devices
- gbhackers.com: New IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices
- securityonline.info: IoT Botnet Fuels Large-Scale DDoS Attacks Targeting Global Organizations
- ciso2ciso.com: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers – Source:thehackernews.com
- ciso2ciso.com: New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits
- : Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers
- ciso2ciso.com: Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices.
- ciso2ciso.com: Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices
- ciso2ciso.com: Details about the mitigation of the DDoS attack.
- gbhackers.com: Record Breaking 5.6 Tbps DDoS attack Launched by Mirai Botnet
- ciso2ciso.com: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
- gbhackers.com: Record Breaking 5.6 Tbps DDoS attack Launched by Mirai Botnet
- securityonline.info: Mirai Botnet Unleashes Record-Breaking DDoS Attack, Cloudflare Thwarts Threat
- hackread.com: Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attack
- gbhackers.com: Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.
- BleepingComputer: The largest distributed denial-of-service (DDoS) attack to date peaked at 5.6 terabits per second and came from a Mirai-based botnet with 13,000 compromised devices.
- gbhackers.com: Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.
- securityonline.info: On October 29, 2024, Cloudflare revealed details of a DDoS attack orchestrated using a Mirai botnet comprising 13,000
- : Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
- blog.cloudflare.com: In 2024, Cloudflare's autonomous DDoS defense systems blocked 21.3M DDoS attacks, up 53% YoY, and 420 DDoS attacks in Q4 2024 exceeded 1 Tbps, up 1,885% QoQ (The Cloudflare Blog)
- : Cloudflare thwarts a massive 5.6 Tbps Mirai-variant DDoS attack targeting one of its customers
@osint10x.com - 64d
Cybersecurity experts are warning about a surge in activity from two botnets, FICORA and CAPSAICIN, exploiting old vulnerabilities in D-Link routers. These botnets are leveraging decade-old weaknesses in the Home Network Administration Protocol (HNAP) interface to execute malicious commands, propagate malware, and launch DDoS attacks. FICORA, a Mirai variant, targets devices globally, while CAPSAICIN, a Kaiten variant, primarily targets East Asia. The attacks demonstrate the ongoing risks posed by outdated and unpatched network hardware, with the vulnerabilities used having been known for years.
The FICORA botnet uses a downloader script to deploy malware and brute force credentials, using UDP, TCP, and DNS protocols for DDoS attacks. The CAPSAICIN botnet focuses on rapid deployment and actively terminates rival botnet processes on infected devices to maintain control. This botnet sends operating system information to a command and control server awaiting further commands. Researchers advise users to update router firmware, implement thorough monitoring, and use cybersecurity solutions to mitigate the threats posed by these botnets, highlighting the dangers of older devices and the crucial need for regular updates.
Recommended read:
References :
- siliconangle.com: Botnets leverage decade-old D-Link vulnerabilities in new attack campaigns
- : Fortinet : The fun don't stop with end-of-life D-Link products: Botnets like FICORA, a Mirai variant, and CAPSAICIN, a Kaiten variant, are exploiting , , , and . Only CVE-2015-2051 is in CISA's KEV Catalog. Indicators of compromise are provided.
- www.fortinet.com: Fortinet : The fun don't stop with end-of-life D-Link products: Botnets like FICORA, a Mirai variant, and CAPSAICIN, a Kaiten variant, are exploiting , , , and . Only CVE-2015-2051 is in CISA's KEV Catalog. Indicators of compromise are provided.
- The Hacker News: FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks
- osint10x.com: Botnets Continue to Target Aging D-Link Vulnerabilities
- Security Affairs: SecurityAffairs.com article on surge in FICORA and Kaiten botnet activity.
- Cyber Security News: New Botnet Exploits D-Link Routers for Remote Control
- Osint10x: Botnets Continue to Target Aging D-Link Vulnerabilities
- SiliconANGLE: Botnets leverage decade-old D-Link vulnerabilities in new attack campaigns
- : FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks
- ciso2ciso.com: FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks
- cyberpress.org: Researchers observed increased activity from Mirai variant “FICORA” and Kaiten variant “CAPSAICIN” botnets in late 2024 that exploited known vulnerabilities in D-Link devices, such as CVE-2024-33112.
- CyberInsider: Unpatched D-Link routers worldwide targeted by new malware
- ciso2ciso.com: CISO2CISO article on surge in FICORA and Kaiten botnet activity.
- : Experts warn of a surge in activity associated FICORA and Kaiten botnets – Source: securityaffairs.com
- securityonline.info: CVE-2024-33112 and More: How FICORA and CAPSAICIN Botnets Are Exploiting D-Link Devices
- ciso2ciso.com: FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks.
- : FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks – Source:hackread.com
- ciso2ciso.com: FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks – Source:hackread.com
- securityonline.info: CVE-2024-33112 and More: How FICORA and CAPSAICIN Botnets Are Exploiting D-Link Devices
- gbhackers.com: New Botnet Exploiting D-Link Routers To Gain Control Remotely
- Security Risk Advisors: 🚩 Mirai “FICORA” and Kaiten “CAPSAICIN” Botnets Target Decade-Old D-Link Weaknesses
- Techzine Global: Malware botnets abuse outdated D-Link routers
- gbhackers.com: GBHackers article about a new botnet exploiting D-Link routers to gain control remotely.
- sra.io: 🚩 Mirai “FICORA” and Kaiten “CAPSAICIN” Botnets Target Decade-Old D-Link Weaknesses
- supportannouncement.us.dlink.com: D-Link Security Advisory
Bill Toulas@BleepingComputer - 78d
The BADBOX malware campaign has compromised over 30,000 Android devices in Germany, including digital photo frames, media players and possibly smartphones. The malware is pre-installed on the devices, exploiting outdated Android versions. The German Federal Office for Information Security (BSI) has taken action to disrupt the communications between infected devices and command-and-control servers. This campaign highlights the risks associated with insecure supply chains and pre-installed malware on IoT devices, and emphasizes the need for rigorous security checks and device updates to prevent similar incidents.
Recommended read:
References :
- BleepingComputer: Germany's Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country.
- Cybernews: German authorities blocked 30,000 Android devices with pre-installed malware from connecting to BadBox botnet servers.
- therecord.media: Germany cuts hacker access to 30,000 devices infected with BadBox malware
- www.bleepingcomputer.com: Germany sinkholes BadBox malware pre-loaded on Android devices
- securityaffairs.com: German agency BSI sinkholed a botnet of 30,000 devices infected with BadBox
- CyberInsider: BSI Disrupts “BadBox” Malware Pre-Loaded on 30,000 Devices
- : BSI (Germany): (German Language) The Federal Office for Information Security (BSI) sinkholed internet traffic originating from Germany and going to the command and control servers of the BADBOX malware group (which originates from China).
- www.bsi.bund.de: BSI (Germany): (German Language) The Federal Office for Information Security (BSI) sinkholed internet traffic originating from Germany and going to the command and control servers of the BADBOX malware group (which originates from China).
- PCMag: In a disturbing find, a government agency in Germany has discovered that as many as 30,000 Android devices in the country contained preinstalled malware.
- www.pcmag.com: 30,000 Android devices found preinstalled with malware in Germany
- socradar.io: BadBox Malware Compromises 30,000 Devices in Germany The German Federal Office for Information Security (BSI) has taken decisive action to stop the BadBox malware campaign, which affected over 30,000 Android IoT devices.
- The Hacker News: Germany's Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country.
- www.cysecurity.news: Germany Warns of Pre-Installed Malware on 30,000 Devices
@www.bleepingcomputer.com - 31d
A new Mirai botnet variant, named Aquabot, has emerged, actively exploiting a command injection vulnerability, identified as CVE-2024-41710, in Mitel SIP phones. This malware targets Mitel 6800, 6900, and 6900w series phones, including the 6970 Conference Unit, and is being used to construct a botnet for launching distributed denial-of-service (DDoS) attacks. The Aquabot malware utilizes a proof-of-concept code previously published to spread to vulnerable devices.
The Aquabot botnet stands out due to its novel ability to communicate with its command and control server when it detects a kill signal attempting to terminate the malware on an infected device. This behaviour is new for a Mirai variant, and could be a method for the botnet author to monitor its health. The exploit, discovered in January 2025, roughly six months after the vulnerability was publicly disclosed by Mitel, injects a shell script that downloads and executes the Mirai malware onto targeted systems.
Recommended read:
References :
- ciso2ciso.com: Aquabot Botnet Targeting Vulnerable Mitel Phones – Source: www.securityweek.com
- ciso2ciso.com: A Mirai-based malware family, Aquabot, started targeting vulnerable Mitel SIP phones to build a botnet for DDoS attacks.
- The Register: A new variant of the Mirai-based malware Aquabot is actively exploiting a vulnerability in Mitel phones to build a remote-controlled botnet, according to Akamai's Security Intelligence and Response Team.
- go.theregister.com: Why is my Mitel phone DDoSing strangers?
- : Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet – Source: go.theregister.com
- ciso2ciso.com: Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet
- The Hacker News: New Aquabot Botnet Exploits CVE-2024-41710 in Mitel Phones for DDoS Attacks
- www.theregister.com: Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet
- www.bleepingcomputer.com: New Aquabotv3 Botnet Malware Targets Mitel Command Injection Flaw
- AAKL: The Register: Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet
- gbhackers.com: New Aquabot Malware Actively Exploiting Mitel SIP phones injection vulnerability
- securityaffairs.com: Aquabot, a new variant of Mirai-based malware, actively targeting Mitel SIP phones.
- gbhackers.com: New Aquabot Malware Actively Exploiting Mitel SIP phones injection vulnerability
- BleepingComputer: New Aquabotv3 botnet malware targets Mitel command injection flaw
Pierluigi Paganini@Security Affairs - 18h
A new variant of the Vo1d botnet has resurfaced, infecting 1.6 million Android TV devices worldwide. Security researchers at XLab have identified the malware, noting enhanced capabilities that sustain its rapid growth. The infected devices are recruited into a botnet controlled by a command-and-control server, enabling cybercriminals to perform malicious activities.
The recruited Android TV bots are then recruited by the command-and-control server for illegal activities, including DDoS attacks and ad click fraud. Protection against Vo1d begins at the purchase of an Android TV device — make sure you buy from a reputable brand and retailer. Malware can be pre-installed on Android TV devices, either by the device manufacturer or introduced by a middleman along the production chain.
Recommended read:
References :
- CyberInsider: Vo1d Botnet Resurfaces, Infects 1.6 Million Android TVs Worldwide
- securityaffairs.com: Enhanced capabilities sustain the rapid growth of Vo1d botnet
- PCWorld: New botnet malware infects 1.6 million Android TV devices worldwide
- The420.in: Vo1d Botnet Expands to 1.59 Million Infected Android TVs, Fueling Massive Cybercrime Operations
- Cyber Security News: Vo1d Botnet Hacks 1.6 Million Android TVs Worldwide
- Talkback Resources: Vo1d Botnet Evolves as It Ensnares 1.6 Million Android TV Boxes [net] [mal]
Pierluigi Paganini@securityaffairs.com - 44d
A sophisticated botnet has been discovered exploiting misconfigured DNS records on approximately 13,000 MikroTik routers to distribute malware through spam campaigns. The botnet leverages a simple DNS misconfiguration, specifically in Sender Policy Framework (SPF) records, allowing malicious emails to appear as if they are coming from legitimate domains. This bypasses email protection techniques, enabling the distribution of trojan malware and other malicious content. The botnet is masking its traffic by using the compromised routers as SOCKS proxies.
The misconfigured SPF records, using "+all" instead of "-all", effectively permits any server to send emails on behalf of the domain, nullifying SPF protections. Attackers are using this weakness to spoof sender domains and send out emails that often mimic shipping companies like DHL, using subject lines referencing invoices or tracking information. These emails contain zip file attachments containing obfuscated JavaScript files that execute PowerShell scripts, connecting victims to a command-and-control server associated with Russian cybercriminal activity.
Recommended read:
References :
- : A Russian botnet takes advantage of misconfigured DNS records to pass email protection techniques. This botnet uses a global network of Mikrotik routers to send malicious emails that are designed to appear to come from legitimate domains.
- securityaffairs.com: MikroTik botnet relies on DNS misconfiguration to spread malware
- securityonline.info: 13,000 MikroTik Routers Hijacked for Global Malspam Operation
- cyberpress.org: New Botnet Exploits DNS Flaw to Deliver Malware
- blogs.infoblox.com: Infoblox : A Russian botnet takes advantage of misconfigured DNS records to pass email protection techniques.
- Cyber Security News: New Botnet Exploits DNS Flaw to Deliver Malware
- securityboulevard.com: MikroTik Botnet Exploits SPF Misconfigurations to Spread Malware
- Security Boulevard: MikroTik Botnet Exploits SPF Misconfigurations to Spread Malware
- www.bleepingcomputer.com: BleepingComputer news on MikroTik botnet uses misconfigured SPF DNS records to spread malware
@securityonline.info - 22d
The BADBOX botnet has infected over 190,000 Android devices, including high-end products like Yandex 4K QLED TVs. This botnet's widespread infection is attributed to supply chain vulnerabilities, potentially involving pre-installed malware embedded during the manufacturing or distribution phases. This discovery highlights the significant security risks associated with compromises in the supply chain of Android devices.
A recent investigation revealed over 160,000 unique IP addresses communicating with BADBOX command-and-control servers daily. These infections are concentrated in countries like Russia, China, India, Brazil, Belarus, and Ukraine. The BADBOX malware is believed to originate from the Triada family of Android malware, known for its stealth. Once activated, infected devices are transformed into residential proxies, enabling cybercriminals to route internet traffic through them for illegal activities and ad fraud.
Recommended read:
References :
- Cyber Security News: CyberPress article about the BADBOX botnet infection of Android devices, including LED TVs.
- gbhackers.com: GBHackers article reporting on the BADBOX botnet.
- securityonline.info: Security Online article on the BADBOX botnet infecting Android devices with pre-installed malware.
- cyberpress.org: Cyberpress.org article on BADBOX botnet and the affected devices.
- securityonline.info: SecurityOnline article about BADBOX botnet and pre-installed malware targeting Android devices.
- gbhackers.com: The BADBOX botnet, a sophisticated malware operation targeting Android-based devices, has now infected over 192,000 systems globally.
Cybereason Security Services Team@Blog - 28d
The Phorpiex botnet, previously known for spam and cryptocurrency mining, has been observed distributing LockBit Black ransomware, also known as LockBit 3.0. This new attack vector signifies a significant shift in the botnet's operations, now focusing on automated ransomware deployment through compromised websites and phishing emails. The malicious activity begins with phishing emails that contain malicious SCR files. When these files are executed, they establish a connection with a command-and-control server, download the LockBit binary, and execute the ransomware payload to begin file encryption.
Unlike traditional ransomware tactics that involve human operators and attempts at lateral movement within a network, this variant focuses on immediate execution of LockBit, reducing the attack's footprint and making it harder to detect. Phorpiex and LockBit employ various anti-detection strategies, such as deleting URL caches, obfuscating function calls, removing Zone.Identifier metadata, and modifying the Windows registry, all to ensure the ransomware runs automatically. This shift highlights the increasing trend of botnets being used as a tool for ransomware attacks.
Recommended read:
References :
- cyberpress.org: Phorpiex botnet Host on Hacked Website to Launch LockBit Ransomware on Windows
- securityonline.info: Phorpiex Botnet Now Deploying LockBit Ransomware in Automated Attacks
- Virus Bulletin: Cybereason's Mahadev Joshi & Masakazu Oku investigate the Phorpiex botnet, which has been used to deliver and execute LockBit Black Ransomware (a.k.a. LockBit 3.0).
- Blog: Cybereason's Mahadev Joshi & Masakazu Oku investigate the Phorpiex botnet, which has been used to deliver and execute LockBit Black Ransomware (a.k.a. LockBit 3.0).
|
|
FlagThis - #botnet