IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024
Summary:
Trend Micro uncovered an IoT botnet in late 2024 and has been continuously monitoring its activity as it conducts large-scale distributed denial-of-service (DDoS) attacks. The attack commands sent from its C2 server have mainly targeted Japan, but Trend Micro has observed these attacks targeting various companies in different countries as well. They state it is likely that the attack commands led to temporary connection and network disruptions of web service that were reported in the same timeframe that the commands were executed. This botnet is comprised of malware derived from Mirai and Bashlite (Gafgyt) and infects IoT devices by leveraging remote code execution flaws or brute-forcing weak initial passwords. After the first stage of the infection chain, the malware then executes a download script on the infected host. This script downloads and executes a second-stage executable file (loader malware) from a distribution server. The loader downloads the executable payload (the actual malware) from the distribution server via HTTP. The payload is written to the memory image and executed, so that the executable file is not left on the infected host, using memory injection techniques to evade detection. The malware abuses the iptables command in Linux systems to delay the discovery of the infection and manipulate the packets used in the DDoS attacks.
Security Officer Comments:
Trend Micro tracked attacks from this botnet from December 27, 2024, to January 4, 2025, when analyzing the DDoS attack targets. Attack targets include organizations in Asia, North America, South America, and Europe. The primary targets appear to be North America and Europe with 17% of attacks targeting the US. However, Trend Micro’s research particularly focuses on attacks targeting Japan. Certain attack commands used for international targets were not used in attacks against Japan. For an overview and countermeasures for such DDoS attacks, please refer to the guide provided by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It is paramount to thoroughly implement IoT device security measures to protect your endpoint and IoT devices. By proactively securing IoT devices, defenders and employees can help prevent the spread of botnets and protect against potential cyber threats linked with these types of attacks.
Suggested Corrections:
IOCs are available here.
Countermeasures for DDoS attacks using UDP (UDP Flood)
https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.html
Trend Micro uncovered an IoT botnet in late 2024 and has been continuously monitoring its activity as it conducts large-scale distributed denial-of-service (DDoS) attacks. The attack commands sent from its C2 server have mainly targeted Japan, but Trend Micro has observed these attacks targeting various companies in different countries as well. They state it is likely that the attack commands led to temporary connection and network disruptions of web service that were reported in the same timeframe that the commands were executed. This botnet is comprised of malware derived from Mirai and Bashlite (Gafgyt) and infects IoT devices by leveraging remote code execution flaws or brute-forcing weak initial passwords. After the first stage of the infection chain, the malware then executes a download script on the infected host. This script downloads and executes a second-stage executable file (loader malware) from a distribution server. The loader downloads the executable payload (the actual malware) from the distribution server via HTTP. The payload is written to the memory image and executed, so that the executable file is not left on the infected host, using memory injection techniques to evade detection. The malware abuses the iptables command in Linux systems to delay the discovery of the infection and manipulate the packets used in the DDoS attacks.
Security Officer Comments:
Trend Micro tracked attacks from this botnet from December 27, 2024, to January 4, 2025, when analyzing the DDoS attack targets. Attack targets include organizations in Asia, North America, South America, and Europe. The primary targets appear to be North America and Europe with 17% of attacks targeting the US. However, Trend Micro’s research particularly focuses on attacks targeting Japan. Certain attack commands used for international targets were not used in attacks against Japan. For an overview and countermeasures for such DDoS attacks, please refer to the guide provided by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It is paramount to thoroughly implement IoT device security measures to protect your endpoint and IoT devices. By proactively securing IoT devices, defenders and employees can help prevent the spread of botnets and protect against potential cyber threats linked with these types of attacks.
Suggested Corrections:
IOCs are available here.
Countermeasures for DDoS attacks using UDP (UDP Flood)
- Use a firewall or router to block specific IP addresses or protocols and restrict traffic.
- Collaborate with communication service providers to filter DDoS traffic at the backbone or edge of the network.
- Strengthen router hardware to increase the number of packets that can be processed.
- Perform real-time monitoring and block IP addresses with high communication traffic.
- Use a CDN provider to distribute and mitigate the load of the attack.
- Limit the number of requests that a specific IP address can send within a certain period of time.
- Use third-party services to separate attack traffic and process clean traffic.
- Perform real-time monitoring and block IP addresses with a high number of connections.
- Detect and block abnormal traffic with IDS/IPS.
- Cut off clients that have been connected for a long time but have not sent packets via behavioral analysis.
- Strengthen server hardware to increase the number of packets that can be processed.
- Increase the upper limit of server connections to improve availability.
- Shorten timeout periods to quickly reuse server resources.
https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.html