Update, Nov. 27, 2024: This story, originally published Nov. 26 now includes additional information regarding the Matrix campaign’s initial access routes.
Your home router could be running slow as it has become part of the Matrix, according to a newly published report by Assaf Morag, the director of Aqua Nautilus threat intelligence at Aqua Security. Here’s what you need to know about this new and widespread cyber attack.
35 Million Machines Could Become Part Of The Matrix, Researchers Say
With almost 35 million devices being identified as vulnerable worldwide, threat intelligence researchers from Aqua Nautilus have warned that the Matrix could be slowing down internet speeds for home users of affected routers and exposing businesses to operational disruption, cybercrime and reputational damage.
The distributed denial-of-service campaign was masterminded by a threat actor called Matrix, Morag said, and “demonstrates a growing trend among threat actors to target vulnerabilities and misconfigurations across internet-connected devices, particularly IoT and enterprise systems.” In the case of Matrix, the DDoS campaign has combined a whole bunch of things to create a formidable botnet: public scripts, brute-force attacks as well as weak credentials exploitation.
The Aqua Security report suggests that the Matrix threat actor is likely Russian, but with no direct targeting of Ukrainian victims, it would appear the motivation is purely financial rather than political in this instance. What the threat intelligence does highlight, however, is the continuing evolution of the DDoS threat within an ever-changing landscape “where even script kiddies can leverage open-source tools to execute sophisticated and large-scale campaigns,” Morag said.
Matrix Attack Initial Access Vectors Explored
In the report analysis, Morag said that by gathering together publicly available hacking scripts along with other tools in order to exploit commonly known defaults passwords, including those that are hardcoded into devices, the Matrix attacker could gain initial access to a broad sweep of internet-connected devices and servers, not just routers. These included the likes of internet-connected cameras, digital video recorders and telecom equipment.
“In addition to IoT devices,” Morag said, “the attackers are also targeting common protocols and applications such as telnet, SSH, Hadoop, and HugeGraph, exploiting vulnerabilities and misconfigurations to gain access to more robust server infrastructure.” Unfortunately, many of the attacks used to acquire such initial access to connected devices involve bog-standard brute-force credential login attempts. These were found to be using “common default credentials like admin:admin or root:camera,” Morag explained, “which continue to be prevalent on unprotected devices, making them particularly vulnerable to compromise.” And once any of these devices have been compromised, of course, they become very valuable assets within a much larger-scale operation than an attacker using a single hacked device could ever hope to achieve.
More specifically, the initial access routes taken by the Matrix attacker included:
- Attacks on routers, including ZTE and GPON models, exploit vulnerabilities such as CVE-2017-18368, a command injection flaw, and CVE-2021-20090, which affects various devices running Arcadyan firmware.
- Attackers leveraging weaknesses in surveillance devices using the Hi3520 platform, enabling unauthorized access and command execution through HTTP.
- Devices running lightweight Linux distributions like uClinux are targeted, taking advantage of default configurations and services, including UPnP vulnerabilities in Huawei and Realtek devices.
- The campaign also targets vulnerabilities in Apache Hadoop’s YARN and HugeGraph servers, enabling remote code execution and expanding the attack beyond IoT devices to enterprise software.
Matrix Demonstrates How A One-Stop Shop For All Your DIY Cyber Attack Needs Is Possible
Morag mentioned script kiddies, those criminal hackers with a low degree of technical and coding skill, for a very good reason: several indicators suggest that Matrix is a single threat actor rather than a cybercrime group, and a script kiddie at that. None of which would appear to have stopped them from orchestrating a global attack on such a huge scale. “With the proliferation of artificial intelligence tools and an abundance of plug-and-play hacking tools,” Morag warned, “script kiddies now pose a greater threat than ever before.”
What is interesting, however, from the cybercrime evolutionary perspective at least, is how this attack campaign marks a hybridization of software development life cycle servers and internet-of-things devices. Traditionally, if such a term can apply to cybercrime, the former have largely been used for crypto mining activity and the latter DDoS botnets. “This shift may signal an increasing interest in leveraging corporate vulnerabilities and misconfigurations for DDoS activities,” Morag said.
Although the campaign in and of itself could hardly be called sophisticated, what the Matrix threat actor has managed to do is highlight how a little technical know-how and a lot of easily accessible tools can combine to cause a formidable DDoS attack botnet.
To escape the Matrix you need to ensure your routers are updated with the latest firmware, have strong admin passwords and you are not relying upon default credentials.
