Posted on November 12, 2022 at 7:31 AM
A recently discovered DDoS bot has taken advantage of SSH connections with weak login credentials to mine crypto assets and deplete network resources.
Researchers at Akamai Cyber Security network noted that the threat actors took advantage of internet-facing protocols to have access to enterprise systems and mine the cryptocurrencies. Additionally, they gained a foothold on corporate networks and launched DDoS attacks on the targeted network.
The researchers called the botnet KmsdBot. It hits systems through a Secure Shell Protocol (SSH) connection with porous login credentials. The protocol gives users control and access, allowing them to modify their remote servers over the internet.
The Researchers Say The Botnet Is Highly Potent
The botnet is highly risky for organizations that utilize corporate networks connected to the internet or cloud infrastructure. Akamai’s security intelligence response engineer Larry Cashdollar commented that the threat actors generally target entities online and can spread themselves.
“Once this malware is running on your system, it essentially has a toehold into your network,” he added. According to Cashdollar, the malware has a lot of strength and functionality, which includes upgrading itself and planting itself into the target’s network and surrounding systems. The KmsdBot botnet is written in Golang to prevent any detection from security software.
The researchers also noted that apart from having a strong evasive measure, KmsdBot has an “erratic” range of targets. These include luxury car manufacturers and gaming and technology companies. It generally targets big organizations that have international spread and presence.
Golang is a popular programming language used regularly by hackers and bad actors because of the difficulties security researchers face when they want to reverse-engineer it. This gives the threat actors the cover they need to continue their exploits for a very long time while staying under the radar.
But this KmsdBot botnet is not like other types of popular botnets. Once it has access to a system, it doesn’t stay very long to maintain persistence. This makes it very slippery and easy to evade detection. By the time a researcher gets to the system, it has already done its damage and left. “It’s not often we see these types of botnets actively attacking and spreading, Golang added.
The Akamai researchers stated that the KmsdBot botnet was detected when it tried to access an unusually open honeypot to lure attackers. The first victim was a gaming company called FiveM, which is also an Akamai client. The gaming firm enables people to host their custom servers for Grand Theft Auto Online.
According to the researchers, the attackers built a packet using a FiveM session token after opening a user datagram protocol (UDP) socket.
Other Less Specifically Targeted Attacks Were Discovered
The UDP communication tool is used by several networks to enable time-sensitive transmissions across the internet, such as DNS lookups and video playback.
Cashdollar noted that the approach allowed the server to act as if a user wants to start a new session. As a result, it will waste more resources in addition to the network bandwidth on the supposed new session.
Additionally, the researchers say they discovered a range of other attacks by the KmsdBot, but these were less specifically targeted.
These include layer 7 HTTP consisting of POST and GET requests, as well as generic Layer 4 TCP/UDP packets with random data as payload. The protocols were directed at either a specific path or the root path set in the attack command.
The researchers discovered that the bot has a cryptomining capacity, but this aspect of its functionality was not observed.
The KmsdBot bot is capable of using a wide range of attack architecture, including mips64, Winx86, x86_64, and Arm64, according to the researchers. It utilizes TCP when communicating with its command-and-control infrastructure.
Entities Can Protect Their Systems By Applying Security Protocols
The researchers have advised that entities can also mitigate these attacks by applying common network security measures. Targeted organizations should use key-based authentication and disable password logins to give themselves a strong chance of protecting against attacks. Akamai added that cracking a company’s vulnerable protections or using stolen credentials is one of the most common ways hackers have access to enterprise systems.
Apart from using strong password protection, the researchers also advised entities to enable multifactor authentication (MFA) and other more advanced security approaches to offer stronger protection against invasion. Despite these recommendations by various security organizations, companies still fail to protect their systems. This has led to so many avoidable attacks, according to the researchers.