#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

botnet | Breaking Cybersecurity News | The Hacker News

Category — botnet
Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices

Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices

Jan 22, 2025 Botnet / Network Security
Web infrastructure and security company Cloudflare on Tuesday said it detected and blocked a 5.6 Terabit per second (Tbps) distributed denial-of-service (DDoS) attack, the largest ever attack to be reported to date. The UDP protocol-based attack took place on October 29, 2024, targeting one of its customers, an unnamed internet service provider (ISP) from Eastern Asia. The activity originated from a Mirai -variant botnet. "The attack lasted only 80 seconds and originated from over 13,000 IoT devices," Cloudflare's Omer Yoachimik and Jorge Pacheco said in a report. That said, the average unique source IP address observed per second was 5,500, with the average contribution of each IP address per second around 1 Gbps. The previous record for the largest volumetric DDoS assault was also reported by Cloudflare in October 2024, which peaked at 3.8 Tbps. Cloudflare also revealed it blocked approximately 21.3 million DDoS attacks in 2024, a 53% increase from 2023, and th...
Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers

Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers

Jan 21, 2025 Botnet / Vulnerability
Cybersecurity researchers have warned of a new large-scale campaign that exploits security flaws in AVTECH IP cameras and Huawei HG532 routers to rope the devices into a Mirai botnet variant dubbed Murdoc Botnet. The ongoing activity "demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks," Qualys security researcher Shilpesh Trivedi said in an analysis. The campaign is known to be active since at least July 2024, with over 1,370 systems infected to date. A majority of the infections have been located in Malaysia, Mexico, Thailand, Indonesia, and Vietnam. Evidence shows that the botnet leverages known security flaws such as CVE-2017-17215 and CVE-2024-7029 to gain initial access to the Internet of Things (IoT) devices and download the next stage payload by means of a shell script. The script, for its part, fetches the botnet malware and executes it depending on the CPU architecture. The end goal of ...
The $10 Cyber Threat Responsible for the Biggest Breaches of 2024

The $10 Cyber Threat Responsible for the Biggest Breaches of 2024

Jan 16, 2025Identity Protection / SaaS Security
You can tell the story of the current state of stolen credential-based attacks in three numbers: Stolen credentials were the #1 attacker action in 2023/24, and the breach vector for 80% of web app attacks . (Source: Verizon). Cybersecurity budgets grew again in 2024, with organizations now spending almost $1,100 per user (Source: Forrester).  Stolen credentials on criminal forums cost as little as $10 (Source: Verizon). Something doesn't add up. So, what's going on? In this article, we'll cover: What's contributing to the huge rise in account compromises linked to stolen creds and why existing approaches aren't working.  The world of murky intelligence on stolen credentials, and how to cut through the noise to find the true positives. Recommendations for security teams to stop attackers from using stolen creds to achieve account takeover. Stolen credential-based attacks are on the rise There's clear evidence that identity attacks are now the #1 cyber threat f...
13,000 MikroTik Routers Hijacked by Botnet for Malspam and Cyberattacks

13,000 MikroTik Routers Hijacked by Botnet for Malspam and Cyberattacks

Jan 21, 2025 Email Security / Botnet
A global network of about 13,000 hijacked Mikrotik routers has been employed as a botnet to propagate malware via spam campaigns, the latest addition to a list of botnets powered by MikroTik devices. The activity "take[s] advantage of misconfigured DNS records to pass email protection techniques," Infoblox security researcher David Brunsdon said in a technical report published last week. "This botnet uses a global network of Mikrotik routers to send malicious emails that are designed to appear to come from legitimate domains." The DNS security company, which has codenamed the campaign Mikro Typo , said its analysis sprang forth from the discovery of a malspam campaign in late November 2024 that leveraged freight invoice-related lures to entice recipients into launching a ZIP archive payload. The ZIP file contains an obfuscated JavaScript file, which is then responsible for running a PowerShell script designed to initiate an outbound connection to a command-a...
cyber security

2024: A year of identity attacks | Get the new ebook

websitePush SecurityIdentity Security
Identity attacks were the leading cause of breaches in 2024. Learn how tooling and techniques are evolving.
Python-Based Bots Exploiting PHP Servers Fuel Gambling Platform Proliferation

Python-Based Bots Exploiting PHP Servers Fuel Gambling Platform Proliferation

Jan 17, 2025 Web Security / Botnet
Cybersecurity researchers have exposed a new campaign that targets web servers running PHP-based applications to promote gambling platforms in Indonesia. "Over the past two months, a significant volume of attacks from Python-based bots has been observed, suggesting a coordinated effort to exploit thousands of web apps," Imperva researcher Daniel Johnston said in an analysis. "These attacks appear tied to the proliferation of gambling-related sites, potentially as a response to the heightened government scrutiny ." The Thales-owned company said it has detected millions of requests originating from a Python client that includes a command to install GSocket (aka Global Socket), an open-source tool that can be used to establish a communication channel between two machines regardless of the network perimeter. It's worth noting that GSocket has been put to use in many a cryptojacking operation in recent months, not to mention even exploiting the access provi...
Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

Jan 08, 2025 Malware / Vulnerability
A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks. The botnet maintains approximately 15,000 daily active IP addresses, with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States. Exploiting an arsenal of over 20 known security vulnerabilities and weak Telnet credentials for initial access, the malware is known to have been active since February 2024. The botnet has been dubbed "gayfemboy" in reference to the offensive term present in the source code. QiAnXin XLab said it observed the malware leveraging a zero-day vulnerability in industrial routers manufactured by China-based Four-Faith to deliver the artifacts as early as November 9, 2024. The vulnerability in question is CVE-2024-12856 (CVSS score: 7.2), which refers to an operating system (OS) command injectio...
Cybercriminals Target Ethereum Developers with Fake Hardhat npm Packages

Cybercriminals Target Ethereum Developers with Fake Hardhat npm Packages

Jan 06, 2025 Blockchain / Malware
Cybersecurity researchers have revealed several malicious packages on the npm registry that have been found impersonating the Nomic Foundation's Hardhat tool in order to steal sensitive data from developer systems. "By exploiting trust in open source plugins, attackers have infiltrated these platforms through malicious npm packages, exfiltrating critical data such as private keys, mnemonics, and configuration details," the Socket research team said in an analysis. Hardhat is a development environment for Ethereum software, incorporating various components for editing, compiling, debugging and deploying smart contracts and decentralized apps (dApps). The list of identified counterfeit packages is as follows - nomicsfoundations @nomisfoundation/hardhat-configure installedpackagepublish @nomisfoundation/hardhat-config @monicfoundation/hardhat-config @nomicsfoundation/sdk-test @nomicsfoundation/hardhat-config @nomicsfoundation/web3-sdk @nomicsfoundation/sdk-...
FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks

FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks

Dec 27, 2024 Botnet / DDoS Attack
Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN. "These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings action on the HNAP (Home Network Administration Protocol) interface," Fortinet FortiGuard Labs researcher Vincent Li said in a Thursday analysis. "This HNAP weakness was first exposed almost a decade ago, with numerous devices affected by a variety of CVE numbers, including CVE-2015-2051 , CVE-2019-10891 , CVE-2022-37056 , and CVE-2024-33112 ." According to the cybersecurity company's telemetry data, attacks involving FICORA have targeted various countries globally, whereas those related to CAPSAICIN primarily singled out East Asian territories like Japan and Taiwan. T...
Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

Dec 19, 2024 Malware / Botnet
Juniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware. The company said it's issuing the advisory after "several customers" reported anomalous behavior on their Session Smart Network (SSN) platforms on December 11, 2024. "These systems have been infected with the Mirai malware and were subsequently used as a DDoS attack source to other devices accessible by their network," it said . "The impacted systems were all using default passwords." Mirai , which has had its source code leaked in 2016, has spawned several variants over the years. The malware is capable of scanning for known vulnerabilities as well as default credentials to infiltrate devices and enlist them into a botnet for mounting distributed denial-of-service (DDoS) attacks. To mitigate such threats, organizations are recommended to change their passwords with i...
Germany Disrupts BADBOX Malware on 30,000 Devices Using Sinkhole Action

Germany Disrupts BADBOX Malware on 30,000 Devices Using Sinkhole Action

Dec 14, 2024 Botnet / Ad Fraud
Germany's Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country. In a statement published earlier this week, authorities said they severed the communications between the devices and their command-and-control (C2) servers by sinkholing the domains in question. Impacted devices include digital picture frames, media players, and streamers, and likely phones and tablets. "What all of these devices have in common is that they have outdated Android versions and were delivered with pre-installed malware," the BSI said in a press release. BADBOX was first documented by HUMAN's Satori Threat Intelligence and Research team in October 2023, describing it as a "complex threat actor scheme" that involves deploying the Triada Android malware on low-cost, off-brand Android devices by exploiting weak supply chain links...
Europol Dismantles 27 DDoS Attack Platforms Across 15 Nations; Admins Arrested

Europol Dismantles 27 DDoS Attack Platforms Across 15 Nations; Admins Arrested

Dec 12, 2024 Cyber Crime / DDoS Attack
A global law enforcement operation has failed 27 stresser services that were used to conduct distributed denial-of-service (DDoS) attacks and took them offline as part of a multi-year international exercise called PowerOFF. The effort, coordinated by Europol and involving 15 countries, dismantled several booter and stresser websites, including zdstresser.net, orbitalstress.net, and starkstresser.net. These services typically employ botnet malware installed on compromised devices to launch attacks on behalf of paying customers against targets of their liking. In addition, three administrators associated with the illicit platforms have been arrested in France and Germany, with over 300 users identified for planned operational activities. "Known as 'booter' and 'stresser' websites, these platforms enabled cybercriminals and hacktivists to flood targets with illegal traffic, rendering websites and other web-based services inaccessible," Europol said in a stat...
Socks5Systemz Botnet Powers Illegal Proxy Service with 85,000+ Hacked Devices

Socks5Systemz Botnet Powers Illegal Proxy Service with 85,000+ Hacked Devices

Dec 09, 2024 Cloud Security / Botnet
A malicious botnet called Socks5Systemz is powering a proxy service called PROXY.AM, according to new findings from Bitsight. "Proxy malware and services enable other types of criminal activity adding uncontrolled layers of anonymity to the threat actors, so they can perform all kinds of malicious activity using chains of victim systems," the company's security research team said in an analysis published last week. The disclosure comes merely weeks after the Black Lotus Labs team at Lumen Technologies revealed that systems compromised by another malware known as Ngioweb are being abused as residential proxy servers for NSOCKS. Socks5Systemz, originally advertised in the cybercrime underground as far back as March 2013, was previously documented by BitSight as being deployed as part of cyber attacks targeting distributing PrivateLoader, SmokeLoader, and Amadey. The primary objective of the malware is to turn compromised systems into proxy exit nodes, which are t...
Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability

Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability

Dec 03, 2024 Vulnerability / Network Security
Cisco on Monday updated an advisory to warn customers of active exploitation of a decade-old security flaw impacting its Adaptive Security Appliance (ASA). The vulnerability, tracked as CVE-2014-2120 (CVSS score: 4.3), concerns a case of insufficient input validation in ASA's WebVPN login page that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a targeted user of the appliance. "An attacker could exploit this vulnerability by convincing a user to access a malicious link," Cisco noted in an alert released in March 2014. As of December 2, 2024, the networking equipment major has revised its bulletin to note that it has become aware of "additional attempted exploitation" of the vulnerability in the wild. The development comes shortly after cybersecurity firm CloudSEK revealed that the threat actors behind AndroxGh0st are leveraging an extensive list of security vulnerabilities in various internet-faci...
Matrix Botnet Exploits IoT Devices in Widespread DDoS Botnet Campaign

Matrix Botnet Exploits IoT Devices in Widespread DDoS Botnet Campaign

Nov 27, 2024 IoT Security / Network Security
A threat actor named Matrix has been linked to a widespread distributed denial-of-service (DDoS) campaign that leverages vulnerabilities and misconfigurations in Internet of Things (IoT) devices to co-opt them into a disruptive botnet. "This operation serves as a comprehensive one-stop shop for scanning, exploiting vulnerabilities, deploying malware, and setting up shop kits, showcasing a do-it-all-yourself approach to cyberattacks," Assaf Morag, director of threat intelligence at cloud security firm Aqua, said . There is evidence to suggest that the operation is the work of a lone wolf actor, a script kiddie of Russian origin. The attacks have primarily targeted IP addresses located in China, Japan, and to a lesser extent Argentina, Australia, Brazil, Egypt, India, and the U.S. The absence of Ukraine in the victimology footprint indicates that the attackers are purely driven by financial motivations, the cloud security firm said. The attack chains are characterized by ...
Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices

Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices

Nov 19, 2024 Botnet / IoT Security
The malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as by other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies reveal. "At least 80% of NSOCKS bots in our telemetry originate from the Ngioweb botnet, mainly utilizing small office/home office (SOHO) routers and IoT devices," the Black Lotus Labs team at Lumen Technologies said in a report shared with The Hacker News. "Two-thirds of these proxies are based in the U.S." "The network maintains a daily average of roughly 35,000 working bots, with 40% remaining active for a month or longer." Ngioweb, first documented by Check Point way back in August 2018 in connection with a Ramnit trojan campaign that distributed the malware, has been the subject of extensive analyses in recent weeks by LevelBlue and Trend Micro , the latter of which is tracking the financially motivated threat actor behind the operation as Wate...
AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

Nov 08, 2024 IoT Security / Vulnerability
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a new report. AndroxGh0st is the name given to a Python-based cloud attack tool that's known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio. Active since at least 2022, it has previously leveraged flaws in the Apache web server ( CVE-2021-41773 ), Laravel Framework ( CVE-2018-15133 ), and PHPUnit ( CVE-2017-9841 ) to gain initial access, escalate privileges, and establish persistent control over compromised systems. Earlier this January, U.S. cybersecurity and intelligence a...
German Police Disrupt DDoS-for-Hire Platform dstat[.]cc; Suspects Arrested

German Police Disrupt DDoS-for-Hire Platform dstat[.]cc; Suspects Arrested

Nov 04, 2024 DDoS Attack / Cybercrime
German law enforcement authorities have announced the disruption of a criminal service called dstat[.]cc that made it possible for other threat actors to easily mount distributed denial-of-service (DDoS) attacks. "The platform made such DDoS attacks accessible to a wide range of users, even those without any in-depth technical skills of their own," the Federal Criminal Police Office (aka Bundeskriminalamt or BKA) said . "The use of stresser services to carry out DDoS attacks has recently become increasingly known in the context of police investigations." The BKA described dstat[.]cc as a platform that offered recommendations and evaluations of stresser services in order to conduct DDoS attacks against websites of interest and render them unresponsive. According to an alert published by Radware in January 2023, dstat[.]cc offered botnet owners the ability to assess the capacity and capabilities of their DDoS attack services. "Bot herders use DStat sites ...
Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft

Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft

Nov 01, 2024 Threat Intelligence / Network Security
Microsoft has revealed that a Chinese threat actor it tracks as Storm-0940 is leveraging a botnet called Quad7 to orchestrate highly evasive password spray attacks. The tech giant has given the botnet the name CovertNetwork-1658, stating the password spray operations are used to steal credentials from multiple Microsoft customers. "Active since at least 2021, Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services," the Microsoft Threat Intelligence team said . "Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others." Quad7, aka 7777 or xlogin, has been the subject of extensive analyses by Sekoia and Team Cymru in recent months. The botnet malware has been observed targeting several brands of SOHO routers and VPN appliances...
Expert Insights / Articles Videos
Cybersecurity Resources