July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Adobe Products Vulnerabilities
November 27, 2024Stealc Information Stealer Malware – Active IOCs
November 27, 2024Multiple Adobe Products Vulnerabilities
November 27, 2024Stealc Information Stealer Malware – Active IOCs
November 27, 2024
Severity
High
Analysis Summary
The Matrix threat actor has been linked to a large-scale distributed denial-of-service (DDoS) campaign exploiting vulnerabilities and misconfigurations in Internet of Things (IoT) devices. The operation, believed to be conducted by a lone Russian "script kiddie," uses a do-it-all approach, including scanning, exploiting flaws, deploying malware, and hosting tools, to co-opt devices into a botnet. Primary targets include IP addresses in China, Japan, and, to a lesser extent, Argentina, Australia, Brazil, Egypt, India, and the U.S., while Ukraine is notably absent, suggesting financial motivations.
Attackers exploit known security flaws and weak or default credentials in devices such as IP cameras, DVRs, routers, and telecom equipment. Misconfigured Telnet, SSH, and Hadoop servers, particularly those in cloud service providers (CSPs) like AWS, Microsoft Azure, and Google Cloud, are frequently targeted. Tools from GitHub are used to deploy DDoS-related malware, including the Mirai botnet, PYbot, pynet, DiscordGo, and others designed for HTTP/HTTPS flood attacks or disabling Windows Defender.
The campaign is also tied to a GitHub account, opened in November 2023, hosting DDoS artifacts. Additionally, the DDoS service is advertised as "Kraken Autobuy" on Telegram, offering tiered services for cryptocurrency payments.
Though not highly sophisticated, the attack demonstrates how accessible tools and basic skills can fuel multi-faceted attacks. Matrix’s reliance on public scripts and weak security highlights the need for fundamental cybersecurity practices, such as changing default credentials, securing protocols, and updating firmware.
Simultaneously, NSFOCUS reports another botnet, XorBot, targeting Intelbras cameras and NETGEAR, TP-Link, and D-Link routers. XorBot’s operators use advanced techniques like redundant code and obfuscation to enhance evasion, while also promoting DDoS-for-hire services under the name Masjesu. The expanding reach of such botnets emphasizes the urgency of addressing IoT vulnerabilities.
Impact
- Denial of Service
- Operational Disruption
Indicators of Compromise
Domain Name
- sponsored-ate.gl.at.ply.gg
IP
- 199.232.46.132
- 5.42.78.100
- 78.138.130.114
- 85.192.37.173
- 5.181.159.78
- 217.18.63.132
MD5
- c332b75871551f3983a14be3bfe2fe79
- 5a66b6594cb5da4e5fcb703c7ee04083
- 76975e8eb775332ce6d6ca9ef30de3de
- 866c52bc44c007685c49f5f7c51e05ca
- d653fa6f1050ac276d8ded0919c25a6f
- 53721f2db3eb5d84ecd0e5755533793a
- c7d7e861826a4fa7db2b92b27c36e5e2
- 9c9ea0b83a17a5f87a8fe3c1536aab2f
- df521f97af1591efff0be31a7fe8b925
SHA-256
- 2e7682abe30d93afb3bd9dee0011c450c1d72d727151344b8b7360441571e007
- 424058facc8f16fd578190a612bc3f9178f5e393d345c2330c39436abb4d1142
- 0ee827d23752c2afc1b07e5312986703f63e05b8c4f1902f5db07bb494e4d057
- 3c0c87bbc1a908ee2d698bf59722fc050b29aa5dcc9312a7c33c04910ad2f067
- 7c41cb2df7b0c34985a18c20267c46b20ed365141fced770f7cdf0ed2214296d
- aee08f24f2e0be5af8b9a7947e845e8364be2f8b5ff874fbc3e7a4c81ecdad83
- 8dfe94a1b02d1330886ad4458b32db3da4b872f9c2116657840de499fee5438a
- 0b84d4ba62ba7752d1ecdccf92ae948aaf670f4e36ecd1bc7c7f0092f150e647
- fa1b9e78b59cdb26d98da8b00fe701697a55ae9ea3bd11b00695cfbba2b67a7a
SHA1
- 84791db42a6f321ea70cfcbf13913fa4e02533f8
- 8ba1f42c61e1bef97afb48b1e741c889cc0cad50
- c72cd784e908c2026549be7439418f7d126936b9
- 83bb15de9ff6d7501897689e97907fe80f329604
- 339c5f229ae62f7139bf7de6f8c6ab136213e8c1
- 6136fe4df8c0cce502d50671def6b6bc2850a38d
- 95a5ff1372f352434525a416570eef4379ebac19
- d0e08fb6d967a2301f0dd942f5fcacd3a27e42c6
- ada6c6646cc86e12a09355944700debf8abd2a55
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Regularly update firmware on all network devices, especially those identified as vulnerable.
- Implement strict access controls to limit the exposure of network device interfaces on the internet.
- Use advanced DDoS mitigation services and solutions that can handle high packet and bit rate attacks.
- Conduct frequent security audits and vulnerability assessments on network infrastructure.
- Employ network segmentation to isolate critical infrastructure and reduce the attack surface.
- Increase monitoring and detection capabilities to quickly identify and respond to unusual traffic patterns.
- Collaborate with device manufacturers to address and patch security vulnerabilities promptly.
- Educate and inform users and administrators about the importance of timely updates and secure configurations.
- Implement robust firewall and intrusion prevention systems to filter malicious traffic.
- Develop and maintain an incident response plan to handle DDoS attacks effectively and minimize downtime.