Sunday, June 16, 2024

CatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

Malicious traffic floods targeted systems, servers, or networks in Distributed Denial of Service (DDoS) attacks are actively exploited by hackers. 

Sometimes, DDoS attacks are used as a distraction from other criminal activities, for extortion, to gain a competitive advantage, or for ideological reasons. 

If resources are crushed by false requests originating from different compromised devices simultaneously, attackers can effectively lock out genuine users from the affected platform.

Cybersecurity researchers at XLab recently discovered that CatDDoS has been actively exploiting over 80 vulnerabilities and attacking more than 300 targets daily.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

With recent observations, XLab’s CTIA system has been closely monitoring very active DDoS botnets that have always been prolific and persistent threats posed by CatDDoS-related syndicates. 

These actors have taken advantage of over 80 campaign vulnerabilities during the last three months. 

Even more disturbing is that the maximum number of targets in one day exceeded 300, illustrating the scale and gravity of these DDoS attacks. 

According to XLab’s data, over the past three months, more than 80 known vulnerabilities have been exploited by CatDDoS-affiliated groups. 

Using “Cacti-n0day” and “skylab0day” as parameter names indicates they may use 0-day exploits. 

Historic data shows that these actors target victims globally, mostly in the US, France, Germany, Brazil, and China, in the cloud services, education, research, telecommunications, public administration, and construction sectors.

These prolific DDoS botnet operators remain a persistent threat due to the wide distribution and exploitation of numerous vulnerabilities.

Historic data (Source - XLab)
Historic data (Source – XLab)

The CatDDoS botnet, a Mirai variant known by its cat-related nickname, launched multiple 60-second DDoS attacks on Shanghai Network Technology Co., LTD. tagged as “atk_0” after 9 PM of April 7th, 2024.

According to reports, it closed down in December 2023 after a source code leak, but other versions, such as RebirthLTD and Komaru, appeared immediately that exploited the compromised codebase.

These variants had many similarities in code, communication design, and decryption methods even though they were operated by different groups, collectively called “CatDDoS-related gangs.”

OpenNIC domains were used by active variants “v-2.0.4” and “v-Rebirth,” which utilized chacha20 encryption, respectively.

In general, changes from the original mostly focused on obfuscation techniques, such as removing symbols or modifying shells, to hinder analysis.

The v-snow_slide variant, believed to have been created by the defunct Aterna group, retained some Fodcha code commonalities specifically in its output “snow slide,” tea encryption, OpenNIC C2 domains, and shared communication protocols.

Interestingly enough it utilized taunts such as “N3tL4b360G4y” which targeted security firms during C2 check-ins.

Researchers also found instances of “template sharing” across groups involving reusing similar malware source code with slight modifications, an everyday IoT botnet activity that resulted in code homology. 

At least three other families used the CatDDoS’ chacha20 algorithm with the same key. 

Besides this, other variants’ C2 infrastructure was used as DDoS targets, pointing to deadly conflicts among operators competing for resources, which are consistent features of the IoT botnet landscape.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles