Hackers use more than 80 publicly available vulnerabilities to infect devices.
Over the past three months, the hackers behind the CatDDoS botnet have exploited more than 80 known vulnerabilities in various software products to infect devices and integrate them into their network to conduct denial-of-service (DDoS) attacks.
According to researchers from QiAnXin, the samples associated with CatDDoS use numerous known vulnerabilities. The maximum number of targets attacked per day exceeds 300.
The vulnerabilities affect routers, network equipment, and other devices from manufacturers such as Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, and Zyxel.
CatDDoS was first described by QiAnXin and NSFOCUS in late 2023 as a variant of the Mirai botnet, capable of conducting DDoS attacks using UDP, TCP, and other methods. First detected in August 2023, this malware got its name from strings like "catddos. pirate" and "password_meow" in the command center domains.
Most of the attacked sites are located in China, the United States, Japan, Singapore, France, Canada, the United Kingdom, Bulgaria, Germany, the Netherlands, and India.
In addition to using the ChaCha20 algorithm to encrypt communication with the command center server, the botnet uses the OpenNIC domain to avoid detection. This method was previously used by another Mirai-based botnet called Fodcha.
CatDDoS also uses the same key and nonce pair for the ChaCha20 algorithm as three other botnets: hailBot, VapeBot, and Woodman.
According to QiAnXin XLab, CatDDoS attacks target cloud services, education, research, information technology, public administration, construction, and other industries.
It is assumed that the malware authors stopped their activities in December 2023, but before that they put up the source code for sale in a special group in Telegram.
Because of the sale or leak of the source code, new variants of botnets have appeared, such as RebirthLTD, Komaru, Cecilio Network. Although different options can be managed by different groups, there are few changes in the code, communication design, and decryption methods.
The situation with the spread of the CatDDoS botnet and similar threats highlights the importance of timely elimination of vulnerabilities, constant monitoring of threats and international cooperation in the field of cybersecurity to protect digital infrastructure.
Over the past three months, the hackers behind the CatDDoS botnet have exploited more than 80 known vulnerabilities in various software products to infect devices and integrate them into their network to conduct denial-of-service (DDoS) attacks.
According to researchers from QiAnXin, the samples associated with CatDDoS use numerous known vulnerabilities. The maximum number of targets attacked per day exceeds 300.
The vulnerabilities affect routers, network equipment, and other devices from manufacturers such as Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, and Zyxel.
CatDDoS was first described by QiAnXin and NSFOCUS in late 2023 as a variant of the Mirai botnet, capable of conducting DDoS attacks using UDP, TCP, and other methods. First detected in August 2023, this malware got its name from strings like "catddos. pirate" and "password_meow" in the command center domains.
Most of the attacked sites are located in China, the United States, Japan, Singapore, France, Canada, the United Kingdom, Bulgaria, Germany, the Netherlands, and India.
In addition to using the ChaCha20 algorithm to encrypt communication with the command center server, the botnet uses the OpenNIC domain to avoid detection. This method was previously used by another Mirai-based botnet called Fodcha.
CatDDoS also uses the same key and nonce pair for the ChaCha20 algorithm as three other botnets: hailBot, VapeBot, and Woodman.
According to QiAnXin XLab, CatDDoS attacks target cloud services, education, research, information technology, public administration, construction, and other industries.
It is assumed that the malware authors stopped their activities in December 2023, but before that they put up the source code for sale in a special group in Telegram.
Because of the sale or leak of the source code, new variants of botnets have appeared, such as RebirthLTD, Komaru, Cecilio Network. Although different options can be managed by different groups, there are few changes in the code, communication design, and decryption methods.
The situation with the spread of the CatDDoS botnet and similar threats highlights the importance of timely elimination of vulnerabilities, constant monitoring of threats and international cooperation in the field of cybersecurity to protect digital infrastructure.
