Full Report
DDoS campaign by Matrix targets IoT devices and servers, exploiting weak credentials and public scripts
Analysis Summary
# Tool/Technique: Matrix DDoS Framework (Custom Toolkit)
## Overview
A collection of accessible tools, publicly available scripts (from GitHub, etc.), and customized code (Python, Shell, Golang) used by the threat actor Matrix to build a distributed denial-of-service (DDoS) botnet by exploiting vulnerabilities and misconfigurations in IoT devices and enterprise servers.
## Technical Details
- Type: Attack Framework/Toolkit (Custom Assemblage)
- Platform: IoT Devices (Routers, DVRs, IP Cameras, telecom equipment running uClinux), Enterprise Servers (Apache Hadoop YARN, HugeGraph, SSH services)
- Capabilities: Scanning for vulnerable devices, exploiting known vulnerabilities (e.g., CVE-2017-18368, CVE-2021-20090), brute-forcing weak credentials, deploying malware, establishing command and control via Discord/Telegram.
- First Seen: Not explicitly dated, but part of a recent campaign noted in November 2024.
## MITRE ATT&CK Mapping
The description primarily focuses on the initial compromise and use of the resulting botnet for disruption.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0009 - Collection** (Implied by scanning/reconnaissance)
- T1595 - Active Scanning
- T1595.002 - Internet Scan
- **TA0005 - Defense Evasion** (If custom scripts evade basic detection)
- **TA0010 - Impact**
- T1498 - Network Denial of Service
## Functionality
### Core Capabilities
- **Scanning and Enumeration:** Identifying internet-facing devices such as routers, DVRs, IP cameras, and servers (Hadoop YARN, HugeGraph).
- **Exploitation:** Leveraging known CVEs like CVE-2017-18368 and CVE-2021-20090 against routers, and flaws in Hi3520 platform devices.
- **Credential Compromise:** Heavily relying on pre-existing weak or default credentials (80% of observed successful logins were for 'root' or 'admin').
- **Botnet Recruitment:** Deploying malware on compromised devices to enlist them into the DDoS botnet.
### Advanced Features
- **Script Versatility:** Utilizing a combination of Python, Shell, and Golang scripts.
- **Infrastructure Integration:** Incorporating existing frameworks, specifically mentioning Mirai variants and SSH scanners for initial access/setup.
- **Monetization/C2 Infrastructure:** Using Discord bots for potential C2 orchestration and Telegram for offering DDoS services for cryptocurrency payments.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Implied generic malware/scripts, potentially Mirai variants]
- Registry Keys: [Not applicable/not provided for Linux/IoT targets]
- Network Indicators: Service monetization observed via Telegram; general C2 implied through custom scripts/bots. (No specific C2 domains/IPs were defanged in the source text).
- Behavioral Indicators: Brute-force login attempts against network devices and enterprise protocols; exploitation attempts targeting CVE-2017-18368 and CVE-2021-20090; unauthorized access to Hi3520 platforms.
## Associated Threat Actors
- **Matrix:** The primary threat actor orchestrating this specific campaign, described as having minimal technical sophistication but highly effective due to accessible tools.
## Detection Methods
- **Signature-based detection:** Potential for signatures matching known Mirai variants repurposed by the actor.
- **Behavioral detection:** Monitoring for high volumes of brute-force attempts against common IoT/server ports (e.g., SSH default accounts, YARN administration interfaces).
- **YARA rules:** [Not provided in the text]
## Mitigation Strategies
- **Credential Management:** Immediately changing all factory-default and weak credentials (especially 'root' and 'admin') on all network-facing devices, including IoT, routers, and enterprise systems.
- **Patching/Vulnerability Management:** Applying patches immediately for known vulnerabilities such as CVE-2017-18368 and CVE-2021-20090.
- **Network Segmentation:** Isolating IoT devices from critical enterprise networks.
- **Protocol Hardening:** Securing enterprise protocols like Apache Hadoop YARN and SSH access configurations.
- **Software Sourcing:** Analyzing and minimizing the use of unvetted scripts sourced from platforms like GitHub that may contain latent malicious components.
## Related Tools/Techniques
- Mirai variants (Mentioned as an integrated component/basis for tool development)
- General IoT Botnet creation/recruitment techniques.
- Brute-forcing techniques targeting administrative interfaces.