Researchers found that vulnerable MySQL servers are being deployed with the Ddostf DDoS bot, which is capable of launching Distributed Denial of Service (DDoS) attacks.
Ddostf, which was first identified around 2016, is well-known for supporting both Windows and Linux platforms and is believed to have been built in China.
As such, attacks targeting MySQL servers operating in Windows environments are continuously being discovered, according to the AhnLab Security Emergency Response Center.
Previous analysis indicates that Gh0st RAT and AsyncRAT malware variants account for most malware strains targeting susceptible MySQL servers.
Ddostf has an ELF format that can be used in Linux environments and a PE format that can be used in Windows environments.
The inclusion of the “ddos.tf” string in Ddostf’s binary is a distinguishing feature. Before registering as a service, Ddostf copies itself in the %SystemRoot% directory under a random name when it is executed.
When it first connects, it gathers the most basic data from the compromised device and transmits it to the C&C server, reads the report.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
The C&C server responds with data in addition to commands when it receives information from the compromised system. It contains the download URL, for instance, in the case of specific DDoS attack methods or download commands.
SYN Flood, UDP Flood, and HTTP GET/POST Flood attacks are just a few of the techniques used in internal DDoS attacks.
Further, Ddostf is unique in that it can establish a connection to a newly obtained address from the C&C server and run commands there for a certain amount of time.
This suggests that the threat actor Ddostf can infect a large number of systems and subsequently sell DDoS attacks as a service.
Generally, threat actors will use scans to find possible targets for their attacks. Scanners look for systems that use the 3306/TCP port, which is used by MySQL servers, among the systems that are publicly accessible.
Threat actors can then target the system using dictionary or brute-force attacks.
If the system manages user credentials improperly, threat actors may be able to get administrator account credentials.
Additionally, if the system is running an unpatched version with vulnerabilities, threat actors may be able to make use of these vulnerabilities.
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
A ransomware attack has compelled UK Brit, a prominent British high school, to close its…
A serious code execution vulnerability in the TP-Link TL-WR940N router, identified as CVE-2024-54887, has become…
A significant security vulnerability, designated as CVE-2024-13454, has been discovered in the OpenVPN Easy-RSA tool,…
Christian Brabandt, a prominent figure in the Vim community, announced the patching of a medium-severity…
Researchers uncovered several significant vulnerabilities within Azure DevOps, specifically focusing on potential Server-Side Request Forgery…
Socket’s threat research team has identified a series of malicious npm packages specifically designed to…