Advertisement

Here’s how simple it is for script kiddies to stand up DDoS services

How plug-and-play hacking tools and lax configs helped a Russian script kiddie start a scheme.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(Getty Images)

A new report from Aqua Security highlights just how easy it is for an amateur-level hacker to set up malicious services that could in turn be weaponized by much-more skillful threat actors in the future.

The cloud security company detailed in a report released Tuesday an operation to sell access to distributed denial-of-service (DDoS) tools  on Telegram which was started by an apparent Russian threat actor known as “Matrix,” citing the code commits from a GitHub account. The threat actor, which Aqua calls a “script kiddie,” spent a year creating a botnet using a mashup of open-source hacking tools while exploiting old bugs and default credentials from routers, DVRs, and other internet-connected devices.

Assaf Morag, Aqua Natuilus’ director of threat intelligence, wrote that even “script kiddies can leverage open-source tools to execute sophisticated and large-scale campaigns.”

“Although this campaign does not use advanced techniques, it capitalizes on widespread security gaps across a range of devices and software,” Morag wrote. “The campaign ultimately reflects how a lack of basic security configurations can leave devices vulnerable to extensive exploitation with minimal technical sophistication.”

Advertisement

The result of Matrix’s work is a Telegram bot dubbed “Kraken Autobuy” that automatically offers plans paid with cryptocurrency with services ranging from  “Basic,” to “Ultima,” to “Enterprise” level DDoS attacks. Aqua researchers noted that the entire operation is made up of a mesh of various DDoS frameworks and configuration tools like the Mirai botnet, SSH scanners, python bots, and a Discord bot. Most of the code is found available online, then rewritten to work together.

For example, the operation also uses playit.gg, a tool that makes it easy to host multiplayer games or web servers without needing to configure complex network settings, as a part of its command and control servers.

“The true skill lies in the ability to integrate and operate these tools effectively, highlighting the growing threat posed by script kiddies with access to readily available hacking resources,” Morag wrote.

Aqua Security initially discovered the campaign when a hacker attempted to add one of their honeypots to the botnet. While it’s not clear just how many devices make up the botnet, Morag has seen Matrix offer botnet services on cybercriminal forums. He also said that if one percent of the 35 million devices targeted by the hacker are vulnerable, the botnet could reach up to 350,000 compromised devices for rent.

The devices include routers and devices from companies such as Huawei, ZTE, and TP-Link, Linux distributions like uClinux with insecure default configurations, among others. Most of these devices may have escaped notice if not for a lack of “fundamental security practices” the report notes.

Advertisement

While DDoS attacks might not appear highly sophisticated, a script kiddie’s ability to carry out these types of attacks by using readily available tools underscores the challenges in securing those same devices against exploitation by more formidable state-sponsored threats, like China’s targeting of vulnerable routers and internet-connected devices.

Morag noted that Matrix appears to be based in Russia,  but largely appears to target China and Japan based on those countries’ widespread adoption of IoT devices. Additionally, neither the U.S. or Ukraine are high on the target lists, which Morag wrote indicates that “motivations are strongly tied to financial gain rather than any patriotic sentiment.” But Matrix is just one of a smaller group of lone actors that target insecure internet-connected devices, which are essentially free playthings for malicious actors everywhere.

The U.S. government has warned about vulnerable routers, including as recently as September as Chinese threat actors continue to target these devices to create a worldwide botnet for malicious activity. U.S. officials said that the botnet grew to over 26,000 devices and spanned the globe by June 2024 before being taken down. 

Russian hacktivists have also used DDoS attacks against critical infrastructure. In July, the Treasury Department sanctioned members of the Cyber Army of Russia Reborn, a pro-Russian group with ties to military intelligence, which used DDoS against U.S. critical infrastructure. 

But while Beijing’s state-backed hackers may have access to some of the most secretive vulnerabilities and zero-days, Matrix chose to use years-old vulnerabilities: password sprays of admin:admin logins or misconfigured devices that can be easily found to add to their botnet.

Latest Podcasts