Thursday, October 3, 2024
HomeCVE/vulnerabilityCatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

CatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

Published on

Malicious traffic floods targeted systems, servers, or networks in Distributed Denial of Service (DDoS) attacks are actively exploited by hackers. 

Sometimes, DDoS attacks are used as a distraction from other criminal activities, for extortion, to gain a competitive advantage, or for ideological reasons. 

If resources are crushed by false requests originating from different compromised devices simultaneously, attackers can effectively lock out genuine users from the affected platform.

- Advertisement - EHA

Cybersecurity researchers at XLab recently discovered that CatDDoS has been actively exploiting over 80 vulnerabilities and attacking more than 300 targets daily.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

With recent observations, XLab’s CTIA system has been closely monitoring very active DDoS botnets that have always been prolific and persistent threats posed by CatDDoS-related syndicates. 

These actors have taken advantage of over 80 campaign vulnerabilities during the last three months. 

Even more disturbing is that the maximum number of targets in one day exceeded 300, illustrating the scale and gravity of these DDoS attacks. 

According to XLab’s data, over the past three months, more than 80 known vulnerabilities have been exploited by CatDDoS-affiliated groups. 

Using “Cacti-n0day” and “skylab0day” as parameter names indicates they may use 0-day exploits. 

Historic data shows that these actors target victims globally, mostly in the US, France, Germany, Brazil, and China, in the cloud services, education, research, telecommunications, public administration, and construction sectors.

These prolific DDoS botnet operators remain a persistent threat due to the wide distribution and exploitation of numerous vulnerabilities.

Historic data (Source - XLab)
Historic data (Source – XLab)

The CatDDoS botnet, a Mirai variant known by its cat-related nickname, launched multiple 60-second DDoS attacks on Shanghai Network Technology Co., LTD. tagged as “atk_0” after 9 PM of April 7th, 2024.

According to reports, it closed down in December 2023 after a source code leak, but other versions, such as RebirthLTD and Komaru, appeared immediately that exploited the compromised codebase.

These variants had many similarities in code, communication design, and decryption methods even though they were operated by different groups, collectively called “CatDDoS-related gangs.”

OpenNIC domains were used by active variants “v-2.0.4” and “v-Rebirth,” which utilized chacha20 encryption, respectively.

In general, changes from the original mostly focused on obfuscation techniques, such as removing symbols or modifying shells, to hinder analysis.

The v-snow_slide variant, believed to have been created by the defunct Aterna group, retained some Fodcha code commonalities specifically in its output “snow slide,” tea encryption, OpenNIC C2 domains, and shared communication protocols.

Interestingly enough it utilized taunts such as “N3tL4b360G4y” which targeted security firms during C2 check-ins.

Researchers also found instances of “template sharing” across groups involving reusing similar malware source code with slight modifications, an everyday IoT botnet activity that resulted in code homology. 

At least three other families used the CatDDoS’ chacha20 algorithm with the same key. 

Besides this, other variants’ C2 infrastructure was used as DDoS targets, pointing to deadly conflicts among operators competing for resources, which are consistent features of the IoT botnet landscape.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Tor Browser 13.5.6 Released – What’s New!

The Tor Project has announced the release of Tor Browser 13.5.6, which is now...

Mario Duarte, Former Snowflake Cybersecurity Leader, Joins Aembit as CISO to Tackle Non-Human Identities

Aembit, the non-human IAM company, today announced the appointment of Mario Duarte as chief...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Tor Browser 13.5.6 Released – What’s New!

The Tor Project has announced the release of Tor Browser 13.5.6, which is now...