Over the past three months, there has been a sharp increase in activity involving a Mirai distributed denial-of-service (DDoS) botnet variant called CatDDoS.
Description:
CatDDoS is a Mirai botnet variant that emerged in August 2023 and became a prominent threat in September 2023. After a short disappearance it was observed being used by multiple threat groups (Komaru, RebirthLTD, Cecilio Network) to achieve their own individual goals. What is more unsettling is the fact that during the latest attacks, CatDDoS actors have compromised more than 300 targets per day.
The variant performs DDoS attacks using TCP, UDP and other methods. Its original source code appears to be the basis for all the variants that have been used. CatDDoS uses the ChaCha20 algorithm to encrypt communications with the C2 server and uses an OpenNIC domain for C2 to evade detection.
The threat groups using CatDDoS have exploited at least 80 different vulnerabilities in their recent campaign. The vulnerabilities affect various products and technologies, including:
- Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ)
- Cisco
- Jenkins servers
- Linksys
- NetGear routers
- D-Link
- Metabase
- Cacti
- DrayTek
- FreePBX
- GitLab
- Gocloud
- Huawei
- Realtek
- Seagate
- SonicWall
- Tenda
- TOTOLINK
- TP-Link
- ZTE
- Zyxel
Some of the vulnerabilities are recent while others are relatively old, dating back more than a decade.
CatDDoS attacks have targeted organizations across several industries, including communication providers, construction companies, cloud vendors, educational scientific and research institutions. The most targeted countries until now are the United States, France, Germany, Brazil and China.
Recommendations:
To prevent CatDDoS attacks it is suggested to follow the measures mentioned below.
- Keep your software, operating systems, and network devices up-to-date. Many CatDDoS attacks exploit known vulnerabilities, so patching is crucial.
- Increase bandwidth to absorb DDoS traffic and reduce the impact on your network.
- Monitor the traffic to understand what constitutes normal, low, and high volume for your organization. Set rate limits based on expected traffic patterns to prevent sudden spikes that could be indicative of an attack.
- Consider using specialized DDoS mitigation services provided by security vendors to detect and filter out malicious traffic.
- Configure firewalls and IPS to block suspicious traffic.
References:
- https://www.darkreading.com/cyberattacks-data-breaches/catddos-threat-groups-sharply-ramp-up-ddos-attacks
- https://thehackernews.com/2024/05/researchers-warn-of-catddos-botnet-and.html
- https://securityonline.info/catddos-related-gangs-ramp-up-attacks-exploiting-over-80-vulnerabilities/?utm_content=cmp-true
- https://cyberinsider.com/catddos-botnet-surges-in-activity-targets-over-80-vulnerabilities/
- https://www.thundercattech.com/resources/blogs/how-to-stop-a-ddos-attack/
- https://www.safetydetectives.com/blog/what-is-a-ddos-attack-and-how-to-prevent-one-in/