DDoS attacks in Q1 2021

[harlan4096]

News overview

Q1 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware, which attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operators use infected devices to carry out DDoS attacks or mine cryptocurrency.

Another active bot focused on Android devices with the ADB (Android Debug Bridge) debug interface. The botnet was dubbed Matryosh (from the Russian word matryoshka — nesting doll) due to the multi-step process for obtaining the C&C address. It is not the first bot to attack mobile devices through a debug interface. This loophole was previously exploited by ADB.Miner, Ares, IPStorm, Fbot, Trinity, and other malware.

Q1 was not without yet another iteration of Mirai. Cybercriminals infected network devices, exploiting relatively recently discovered vulnerabilities, plus several unknown bugs. According to the researchers who identified the attack, it might have affected several thousand devices.

In Q1 2021, cybercriminals also found a host of new tools for amplifying DDoS attacks. One of them was Plex Media Server for setting up a media server on Windows, macOS, or Linux computers, network-attached storages (NAS), digital media players, and the like. Around 37,000 devices with Plex Media Server installed, accessible online directly or receiving packets redirected from specific UDP ports, turned out to be vulnerable. Junk traffic generated by Plex Media Server is made up of Plex Media Service Discovery Protocol (PMSSDP) requests and amplifies the attack by a factor of approximately 4.68.

A major amplification vector was the RDP service for remote connection to Windows devices. RDP servers listening on UDP port 3389 were used to amplify DDoS attacks. At the time of publishing the information about the misuse of the remote access service, 33,000 vulnerable devices had been found. The amplification factor was significantly higher than in the case of Plex Media Server: 85.9. To prevent attacks via RDP, it is recommended to hide RDP servers behind a VPN or disable UDP port 3389.

That said, a VPN is no panacea if it too is vulnerable to amplification attacks. In Q1 2021, for instance, attackers went after Powerhouse VPN servers. The culprit turned out to be the Chameleon protocol, which guards against VPN blocking and listens on UDP port 20811. The server response to requests on this port was 40 times larger than the original request. The vendor released a patch when they learned about the problem.

Alas, not all users of vulnerable programs and devices install updates promptly. For instance, as of mid-March, there were around 4,300 web-based servers for DDoS amplification through the DTLS protocol — this method was covered in our previous report. Vulnerable devices were either misconfigured or missing the latest firmware version with the required settings. Cybercriminals have wasted no time in adding this amplification method (as well as most others discovered just this past quarter) to their arsenal of DDoS-for-hire platforms.

Non-standard protocols are of interest to cybercriminals not only as a means of amplification, but as a tool for carrying out DDoS attacks. In Q1, a new attack vector appeared in the form of DCCP (Datagram Congestion Control Protocol), a transport protocol for regulating the network load when transmitting data in real time, for example, video streaming. The built-in mechanisms to protect against channel congestion did not prevent attackers using this protocol to flood victims with multiple connection requests. What’s more, on the side of the junk packet recipients, there were no online-accessible DCCP applications. Most likely, the attackers were randomly looking for a way to bypass standard DDoS protection.
...

Continue Reading