Saturday, January 18, 2025
HomeCVE/vulnerabilityCatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

CatDDoS Exploiting 80+ Vulnerabilities, Attacking 300+ Targets Daily

Published on

SIEM as a Service

Follow Us on Google News

Malicious traffic floods targeted systems, servers, or networks in Distributed Denial of Service (DDoS) attacks are actively exploited by hackers. 

Sometimes, DDoS attacks are used as a distraction from other criminal activities, for extortion, to gain a competitive advantage, or for ideological reasons. 

If resources are crushed by false requests originating from different compromised devices simultaneously, attackers can effectively lock out genuine users from the affected platform.

Cybersecurity researchers at XLab recently discovered that CatDDoS has been actively exploiting over 80 vulnerabilities and attacking more than 300 targets daily.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

With recent observations, XLab’s CTIA system has been closely monitoring very active DDoS botnets that have always been prolific and persistent threats posed by CatDDoS-related syndicates. 

These actors have taken advantage of over 80 campaign vulnerabilities during the last three months. 

Even more disturbing is that the maximum number of targets in one day exceeded 300, illustrating the scale and gravity of these DDoS attacks. 

According to XLab’s data, over the past three months, more than 80 known vulnerabilities have been exploited by CatDDoS-affiliated groups. 

Using “Cacti-n0day” and “skylab0day” as parameter names indicates they may use 0-day exploits. 

Historic data shows that these actors target victims globally, mostly in the US, France, Germany, Brazil, and China, in the cloud services, education, research, telecommunications, public administration, and construction sectors.

These prolific DDoS botnet operators remain a persistent threat due to the wide distribution and exploitation of numerous vulnerabilities.

Historic data (Source - XLab)
Historic data (Source – XLab)

The CatDDoS botnet, a Mirai variant known by its cat-related nickname, launched multiple 60-second DDoS attacks on Shanghai Network Technology Co., LTD. tagged as “atk_0” after 9 PM of April 7th, 2024.

According to reports, it closed down in December 2023 after a source code leak, but other versions, such as RebirthLTD and Komaru, appeared immediately that exploited the compromised codebase.

These variants had many similarities in code, communication design, and decryption methods even though they were operated by different groups, collectively called “CatDDoS-related gangs.”

OpenNIC domains were used by active variants “v-2.0.4” and “v-Rebirth,” which utilized chacha20 encryption, respectively.

In general, changes from the original mostly focused on obfuscation techniques, such as removing symbols or modifying shells, to hinder analysis.

The v-snow_slide variant, believed to have been created by the defunct Aterna group, retained some Fodcha code commonalities specifically in its output “snow slide,” tea encryption, OpenNIC C2 domains, and shared communication protocols.

Interestingly enough it utilized taunts such as “N3tL4b360G4y” which targeted security firms during C2 check-ins.

Researchers also found instances of “template sharing” across groups involving reusing similar malware source code with slight modifications, an everyday IoT botnet activity that resulted in code homology. 

At least three other families used the CatDDoS’ chacha20 algorithm with the same key. 

Besides this, other variants’ C2 infrastructure was used as DDoS targets, pointing to deadly conflicts among operators competing for resources, which are consistent features of the IoT botnet landscape.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....