ClickCease Matrix Botnet: IoT Devices Attacked In Recent DDoS Campaign - TuxCare

Table of Contents

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Matrix Botnet: IoT Devices Attacked In Recent DDoS Campaign

by Wajahat Raja

December 13, 2024 - TuxCare expert team

Recent reports claim that a threat actor named Matrix has been leveraging IOT devices in a recent DDoS campaign. These attacks fundamentally function by exploiting vulnerability among the devices for creating a disruptive botnet. In this article, we’ll dive into the details of the Matrix botnet, the attack infrastructure and arsenal, and mitigation protocols. Let’s begin!

Matrix Botnet: Initial Discovery And Overview  

The Matrix botnet was initially discovered by researchers at Aqua who observed a Distributed Denial-of-Service (DDoS) attack campaign. The security platform mentioned that the activities triggered by the threat actor were identified on their honey puts. One of the most striking aspects of this attack campaign is its use of accessible tools.

Such an attack arsenal serves as a crucial reminder of how easily large-scale cyber attacks can be conducted. In addition, the campaign is also in line with the growing trend where hackers are leveraging flaws among internet-connected devices to carry out their malicious intentions. 

Before we get into the details of the attack, it’s essential for you to know that the Matrix botnet campaign combines various attack tools and methodologies. Public scripts, brute-force attacks, and exploitation of weak credentials are all common examples of things that are combined to create the botnet. 

Vector Used For Gaining Initial Access 

When it comes to gaining access to devices the hackers want to compromise, the initial step is to gather publicly available scripts and tools. After that the attackers begin to exploit default or hardcoded credentials, gaining access to a wide variety of internet-connected devices such as: 

  • IP cameras. 
  • DVRs.
  • Routers.
  • Telecom equipment.
  • And more. 

Apart from compromising these devices, the attackers also target common applications and protocols that include telnet, SSH, Hadoop, and HugeGraph. Exploiting the vulnerabilities within them ensures access to a server infrastructure that is more robust. Shedding light on such initiatives, experts have stated that:  

“Many of these attacks involve brute-force login attempts using common default credentials like admin:admin or root:camera, which continue to be prevalent on unprotected devices, making them particularly vulnerable to compromise. Once compromised, these devices become assets in larger-scale operations, including Distributed Denial of Service (DDoS) attacks.”

The Matrix botnet attack campaign does not use technologically complex techniques but rather relies on widespread security gaps. Those keen on ensuring protection must comprehend how these threat actors are able to compromise IOT devices for malicious intent. Some of the key methods used in the attack campaign include:  

Device Method 
Router Vulnerabilities Hackers exploit vulnerabilities that may include CVE-2017-18368, a command injection flaw, and CVE-2021-20090, which affects various devices running Arcadyan firmware.
DVR and Camera Exploits Hackers use Hi3520 for exploiting weaknesses in surveillance devices. This enables unauthorized access and command execution through HTTP. 
Telecom Equipment and IoT Devices Hackers target these devices to exploit their inherent vulnerabilities, such as misconfigured services and outdated firmware, allowing them to gain unauthorized access. 

By leveraging these weaknesses, they can integrate the compromised devices into botnets, using them to launch large-scale DDoS attacks or other malicious activities.

Advanced Exploits in Software Systems Hackers also focus on exploiting vulnerabilities in Apache Hadoop’s YARN and HugeGraph servers, allowing remote code execution and broadening the scope of the attack from IoT devices to include enterprise-level software systems.

 

DDoS Attack Campaign Targets 

Reports have mentioned that the Matrix botnet hackers leverage a wide range of IOT devices. Commenting on the targets and goals of the campaign, experts have stated that:  

“We analyzed the configuration files used by the scanners to gain insight into the goals and impact of this campaign. This analysis was supplemented with data from our high-interaction honeypots, which provided detailed information on the attacker behavior, and low-interaction honeypots, which highlighted the volume of scanning activity, and the types of services targeted.”

The Matrix botnet hackers also make use of a dedicated list of Cloud Service Providers (CSPs) and focus on their IP ranges. In addition, the hackers also targeted smaller private clouds and companies. 

Such a target selection suggests that while attackers aim to launch DDoS attacks targeting IoT devices, the inclusion of CSPs makes regional organizations a target as well. The CSPs that were targeted in the Matrix botnet campaign include:  

CSPs Target Percentage 
Amazon Web Services (AWS) 48%
Azure  34%
Google Cloud Platform (GCP) 16%
Others  2%

 

It’s worth noting that both China and Japan appear to be the most targeted regions of the attack campaign. A possible reason for this might be the widespread use of IoT devices in those regions. 

In addition, experts have mentioned that the US is 15th on the list of targeted countries. Providing insight pertaining to the origins and motive of the Matrix botnet hackers, security experts have stated that: 

“The threat actor is believed to have Russian origins, yet Russia is completely absent from the list of targets, which aligns with expectations. However, what is particularly surprising is the absence of Ukraine from the target list. This suggests that the actor’s motivations are strongly tied to financial gain rather than any patriotic sentiment, highlighting a business-driven approach to their operations.”

Attack Tools And Mitigation Protocols

As far as the attack infrastructure and tools are concerned, the Matrix botnet appears to have been developed using Python, used 40% of the time, and Shell and Golang, each used 18% of the time. In addition, minor contributions from other programming languages such as Java, JavaScript, and Perl are also evident. 

While such an infrastructure points towards diverse language familiarity, most tools used during the attacks originate from other hacking websites or GitHub accounts. The threat actors are believed to download and modify the tools locally, but with a heavy reliance on external scripts. Some of the key tools that were uploaded to Matrix’s GitHub include: 

  • Mirai botnet. 
  • DDoS Agent. 
  • SSH Scan Hacktool. 
  • PyBot. 
  • PYnet.
  • DiscordGo. 
  • HTTP/HTTPS flood attack. 
  • The Homo Network.

As cyber threats become more frequent and complex, implementing adequate mitigation and protection mechanisms becomes a necessity. Commenting on the ability to monitor and detect Matrix botnet activities, experts stated that: 

“By adopting advanced technical means such as inserting redundant code and obfuscating sample signatures, they have improved the defensive capabilities at the file level, making their attack behavior more difficult to monitor and identify”

To potentially mitigate the risk of falling prey to the Matrix botnet scan, protocols that should be implemented include scanning the environment, code, container images, and cloud workloads. Running such scans can help identify vulnerabilities, concealed malware, and configuration errors which can be patched to ensure protection. 

Conclusion

The Matrix botnet campaign highlights how easily attackers can exploit vulnerabilities in IoT devices and enterprise systems using accessible tools and scripts. By understanding their tactics and implementing robust security measures, organizations can strengthen their defenses against these widespread and evolving cyber threats.

The sources for this piece include articles in The Hacker News and Aqua Security.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer