Russian Hacker ‘Matrix’ Builds Powerful DDoS Botnet Using Publicly Available Tools

November 27, 2024

A Russian hacker, known as 'Matrix', has built a large-scale distributed denial-of-service (DDoS) botnet by exploiting weakly protected Internet-of-Things (IoT) devices and enterprise servers. The botnet's scale suggests potential for widespread disruption. Matrix has utilized publicly available malware tools and exploit scripts to target devices with weak credentials and configurations.

Aqua Nautilus researchers have been tracking Matrix's activities, which include establishing a store on Telegram, where customers can purchase varying DDoS plans and services. These plans, ranging from 'Basic' to 'Enterprise', enable buyers to launch DDoS attacks of varying durations on targets of their choice.

Assaf Morag, lead data analyst at Aqua, stated, "Although this campaign does not use advanced techniques, it capitalizes on widespread security gaps across a range of devices and software." This highlights the importance of basic security practices such as changing default credentials, securing administrative protocols, and applying timely firmware updates.

The number and duration of DDoS attacks have been increasing. A study by Gcore showed a 46% increase in DDoS attacks in the first half of 2024 compared to the same period last year. Some attacks exceeded multiple terabits of attack traffic per second.

Matrix's campaign started in November 2023 with the creation of a GitHub account, which was primarily used as a repository for various publicly available malware tools. These tools were downloaded from different sources and, in some cases, modified by Matrix for use in the DDoS campaign. Commonly available DDoS botnet tools such as Mirai, DDoS agent, Pybot, Pynet, SSH Scan Hacktool, and Discord Go were found in Matrix's GitHub account.

Matrix has been scanning the internet for IoT devices with known vulnerabilities, including older flaws such as CVE-2014-8361, a remote code execution vulnerability in Realtek Software Development Kit. Other targeted vulnerabilities include CVE-2017-17215, CVE-2017-18368, and CVE-2017-17106 from 2017; and CVE-2018-10561, CVE-2018-10562, and CVE-2018-9995 from 2018. These vulnerabilities affect a range of devices including network routers, DVRs, cameras, and telecom equipment.

Matrix has also targeted vulnerabilities and misconfigurations in enterprise servers, including a critical RCE vulnerability in Apache HugeGraph servers (CVE-2024-27348). The majority of the scanning activity targeted servers in AWS environments, followed by Microsoft Azure and Google's cloud platform.

Currently, Matrix's primary focus is China and Japan, likely due to the high density of IoT devices in these countries. Matrix has also exploited default and weak passwords and misconfigurations to compromise IoT devices and enterprise servers, incorporating them into the DDoS botnet.

Aqua's analysis indicates that there are 35 million systems running the software targeted by Matrix. If even 1% of these systems are exploitable, Matrix could have a botnet of around 350,000 devices. The actual size of the botnet remains unclear, but indicators suggest that it is substantial.

Related News

• Critical OS Command Injection Flaw in Zyxel Routers Addressed
• Fortinet Reports Surge in Attacks on TBK DVR Devices

Latest News

• Critical Authentication Flaw in ProjectSend Exploited by Hackers
• NachoVPN: New Attack Strategy Exploits VPN Vulnerabilities for Malicious Activities
• Russian APT 'RomCom' Exploits Zero-Day Vulnerabilities in Firefox, Tor
• GhostSpider: New Addition to Salt Typhoon's Malware Toolkit
• Critical Vulnerability in Array Networks SSL VPN Products Exploited by Hackers