New DDoS Campaign Linked to Matrix Threat Actor Identified
/ 4 min read
Quick take - Aqua Nautilus researchers have identified a new DDoS campaign linked to the threat actor Matrix, which exploits vulnerabilities in internet-connected devices using accessible tools and methods, highlighting the need for improved security practices to mitigate such cyber threats.
Fast Facts
- Aqua Nautilus researchers have linked a new DDoS campaign to the threat actor known as Matrix, which targets vulnerabilities in IoT and enterprise systems using public scripts and brute-force attacks.
- The campaign exploits weak credentials and misconfigurations, with a significant focus on default usernames and passwords, revealing 167 unique pairs used for initial access.
- Matrix’s operations indicate a troubling trend where individuals with limited technical skills can execute sophisticated cyberattacks using readily available tools, including a GitHub account for malicious artifacts.
- The campaign primarily targets devices in China and Japan, with an estimated botnet size ranging from 350,000 to 1.7 million devices, posing risks to online businesses and cloud infrastructure.
- Analysts emphasize the importance of basic security practices, such as changing default credentials and timely firmware updates, to mitigate the risks associated with this escalating DDoS threat.
New DDoS Campaign Linked to Matrix Threat Actor
Aqua Nautilus researchers have identified a new Distributed Denial-of-Service (DDoS) campaign linked to a threat actor known as Matrix. This investigation was initiated following suspicious activities detected on honeypots. The findings highlight the growing accessibility of cyberattack tools that require minimal technical knowledge for execution.
Targeted Vulnerabilities and Attack Methods
The Matrix campaign particularly targets vulnerabilities and misconfigurations in various internet-connected devices, including Internet of Things (IoT) and enterprise systems. The campaign makes use of public scripts, brute-force attacks, and weak credentials to assemble a botnet capable of causing widespread disruption. Analysts note that this operation serves as a comprehensive toolkit for identifying, exploiting vulnerabilities, and deploying malware.
Matrix’s approach reflects a concerning trend whereby individuals with limited technical skills can carry out sophisticated cyberattacks using open-source tools. Despite indications of a possible Russian affiliation, the absence of Ukrainian targets suggests that the threat actor is driven primarily by financial motives rather than political ones.
Initial Access and Exploited Vulnerabilities
The analysis of the campaign has revealed that initial access is often gained through easily accessible methods. These methods exploit vulnerabilities in devices such as IP cameras, DVRs, routers, and telecom equipment. Attackers frequently utilize default or hardcoded credentials, with brute-force attempts leveraging common default usernames and passwords. A total of 167 unique username and password pairs were discovered, underscoring a significant prevalence of default credentials.
Key methods of attack include exploiting router vulnerabilities and targeting lightweight Linux devices. The campaign also highlights the critical importance of basic security practices, such as changing default credentials and ensuring timely firmware updates. Misconfigurations and weak passwords have been identified as significant initial access vectors.
The Common Vulnerability Exposure (CVE) analysis revealed 10 CVEs exploited throughout the campaign, including the recent CVE-2024-27348. The targeted devices predominantly fall within the IoT category, reinforcing Matrix’s focus on systems with minimal security measures.
Geographic Targeting and Botnet Size
Analysis indicates that Cloud Service Providers (CSPs) and private companies, particularly in the Asia-Pacific (APAC) region, are at heightened risk. Specifically, China and Japan emerged as the most targeted nations, while the United States ranked 15th in terms of targeted countries. A potential target list has revealed nearly 35 million internet-connected devices that could be exploited, with estimates of the botnet size ranging from 350,000 to 1.7 million devices.
Additionally, Matrix has a GitHub account created in November 2023, showcasing activity related to downloading malicious artifacts. The primary programming languages leveraged in the campaign include Python, Shell, and Golang. The threat actor predominantly utilizes tools sourced from public repositories rather than developing original resources.
The campaign also incorporates various DDoS tools, including Mirai, which is known for targeting IoT devices and has been linked to large-scale attacks. Furthermore, Matrix has developed a Telegram bot for selling DDoS services, offering different pricing plans for Layer 4 and Layer 7 attacks.
The impact of these DDoS attacks extends to service denial for online businesses and potential disruptions to cloud vendor infrastructure. Mapping the campaign to the MITRE ATT&CK framework reveals common techniques employed throughout the operation. To counter these threats, detection and mitigation strategies emphasize addressing vulnerabilities, securing devices, and utilizing threat analysis tools.
Aqua’s Cloud Native Application Platform (CNAPP) and Dynamic Threat Analysis (DTA) are recommended solutions for enhancing security in cloud environments. Overall, this campaign represents an escalation in DDoS attacks, illustrating the adaptability and scale of modern threat actors. The analysis underscores the urgent need for improved security configurations to prevent exploitation of vulnerabilities and to safeguard against potential attacks.
Original Source: Read the Full Article Here
