New DDoS Campaign Exploits IoT Devices and Server Misconfigurations

Written by

A widespread distributed denial-of-service (DDoS) campaign leveraging accessible tools and targeting IoT devices and enterprise servers has been uncovered by security researchers.

Orchestrated by a threat actor known as Matrix, the operation highlights how minimal technical knowledge combined with public scripts can enable global scale cyber-attacks.

Matrix’s attack framework, analyzed in detail by Aqua Nautilus, focuses on exploiting vulnerabilities and misconfigurations across internet-connected devices.

The campaign employs brute-force attacks, weak credentials and known exploits to build a botnet capable of significant disruption. This reflects a growing trend where ‘script kiddies’ leverage publicly available tools to execute sophisticated attacks.

Key Characteristics of the Attack

Matrix’s operation is a comprehensive “do-it-yourself” approach, scanning, exploiting and deploying malware on:

  • Routers: Exploits include vulnerabilities such as CVE-2017-18368 and CVE-2021-20090

  • DVRs and IP cameras: Using flaws in devices with the Hi3520 platform for unauthorized access

  • Enterprise protocols: Targeting Apache Hadoop’s YARN, HugeGraph servers and SSH misconfigurations

  • IoT devices: Exploits on lightweight Linux distributions like uClinux in telecom equipment

The attacks heavily rely on default or weak passwords, with 80% of identified credentials tied to root or admin users. These tactics emphasize how failure to adopt basic security measures – such as changing factory-default credentials – exposes devices to compromise.

Target Scope and Implications

Matrix’s targets span cloud service providers (CSPs), smaller enterprises and IoT-heavy regions like China and Japan. Analysis revealed up to 35 million potential devices could be affected, suggesting a botnet of 350,000 to 1.7 million devices, depending on vulnerability rates.

The campaign underscores a shift toward exploiting corporate vulnerabilities alongside IoT systems. Historically, cryptomining dominated such attacks, but Matrix’s focus includes both production and development servers, amplifying the risk for enterprise environments.

Read more on mitigating DDoS threats: UK Council Sites Recover Following Russian DDoS Blitz

Tools and Infrastructure

Matrix utilizes a mix of Python, Shell and Golang-based scripts sourced from GitHub and other platforms. Tools like Mirai variants, SSH scanners and Discord bots highlight the integration of pre-existing frameworks into customized campaigns. The threat actor also monetizes services via Telegram, offering DDoS plans for cryptocurrency payments.

While Matrix appears to lack advanced capabilities, the ease of assembling and operating these tools exemplifies the growing risk posed by low-sophistication actors armed with accessible resources.

Addressing these threats requires robust security measures, including regular updates, strong credentials and monitoring for exposed vulnerabilities.

What’s hot on Infosecurity Magazine?