DDoS Protection , Endpoint Security , Governance & Risk Management

Script Kiddie 'Matrix' Builds Massive Botnet

Likely Russian Hacker Exploits IoT Vulnerabilities, Many Known for Years
Script Kiddie 'Matrix' Builds Massive Botnet
Image: Shutterstock

An apparent Russian script kiddie is converting widespread security gaps into a powerful botnet capable of launching global-scale distributed denial-of-service attacks.

See Also: Real-World Strategies for Securing Remote Workforces and Data

Cloud security firm Aqua in a Tuesday blog post said a threat actor with the online moniker "Matrix" is exploiting Internet of Things device vulnerabilities such as default credentials and outdated software.

Aqua can't say for sure whether Matrix is a single individual, but "that is the impression conveyed." Matrix combines brute-force attacks with scripts. That heavy reliance on external scripts along with "a focus on leveraging existing tools rather than developing advanced capabilities independently" likely places Matrix on the unsophisticated spectrum of hacking. That hasn't stopped Matrix, since a proliferation of plug-and-play hacking tools and artificial intelligence enhancements have made it easier for less sophisticated attackers to execute wide-ranging campaigns.

The hacker also shows strong signs of Russian nationality, or at least takes pains to create that impression. His botnet hasn't targeted Ukraine, suggesting a focus on financial gain rather than ideology.

Denial of service attacks flit in and out of public awareness, with a recent upswing caused by self-styled Russian hacktivists who have used them primarily to create temporary annoyances. The line between hacktivism and for-profit activity can be thin - U.S. federal prosecutors indicted earlier this year two brothers for operating Anonymous Sudan, a DDoS group that simultaneously declared "cyber war" on the U.S. while renting out its botnet (see: US Indicts Sudanese Brothers for Anonymous Sudan Attacks).

Matrix appears to have begun his hacking spree in Nov. 2023 with the creation of a GitHub account, mostly used as a repository of publicly-available malware tools including leaked Mirai code, DDoS agent, PyBot, Pynet, SSH Scan Hacktool and Discord Go. "Instead of forking repositories, the tools are downloaded and modified locally, suggesting a level of customization and adaptability," Aqua said.

His botnet consists of hacked network routers, digital video recorders, cameras and telecom equipment. Vulnerabilities in enterprise systems, such as Apache Hadoop YARN and HugeGraph, extend his reach beyond retail devices, although the majority of the vulnerabilities center around IoT devices.

Nearly 35 million internet-connected devices are the types of devices targeted by Matrix. "Assuming only 1% of these devices are exploitable, the potential botnet size could reach 350,000 devices. If 5% are vulnerable, the botnet size could grow to an estimated 1.7 million devices," Aqua said.

Researchers identified 167 unique username-password pairs used in attacks, 80% of which were default credentials such as "admin:admin."

Vulnerabilities exploited to assemble the botnet include unpatched flaws first identified years ago, including CVE 2017-18368 in ZTE routers and CVE 2021-20090 in Arcadyan firmware-enabled command injections. Universal plug and play vulnerabilities in Huawei and Realtek devices also facilitate hacking.

Matrix disproportionately targets the Asia-Pacfiic regions, particularly China and Japan, exploiting the high adoption rates of IoT devices in these areas.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.