Advisory May 29, 2024

Increase of CatDDoS Attacks

The Obrela Threat Intelligence Team

Over the past three months, there has been a sharp increase in activity involving a Mirai distributed denial-of-service (DDoS) botnet variant called CatDDoS.

Description:

CatDDoS is a Mirai botnet variant that emerged in August 2023 and became a prominent threat in September 2023. After a short disappearance it was observed being used by multiple threat groups (Komaru, RebirthLTD, Cecilio Network) to achieve their own individual goals. What is more unsettling is the fact that during the latest attacks, CatDDoS actors have compromised more than 300 targets per day.

The variant performs DDoS attacks using TCP, UDP and other methods. Its original source code appears to be the basis for all the variants that have been used. CatDDoS uses the ChaCha20 algorithm to encrypt communications with the C2 server and uses an OpenNIC domain for C2 to evade detection.

The threat groups using CatDDoS have exploited at least 80 different vulnerabilities in their recent campaign. The vulnerabilities affect various products and technologies, including:

  • Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ)
  • Cisco
  • Jenkins servers
  • Linksys
  • NetGear routers
  • D-Link
  • Metabase
  • Cacti
  • DrayTek
  • FreePBX
  • GitLab
  • Gocloud
  • Huawei
  • Realtek
  • Seagate
  • SonicWall
  • Tenda
  • TOTOLINK
  • TP-Link
  • ZTE
  • Zyxel

Some of the vulnerabilities are recent while others are relatively old, dating back more than a decade.

CatDDoS attacks have targeted organizations across several industries, including communication providers, construction companies, cloud vendors, educational scientific and research institutions. The most targeted countries until now are the United States, France, Germany, Brazil and China.

earth and shield - Advisory image

Recommendations:

To prevent CatDDoS attacks it is suggested to follow the measures mentioned below.

 

References: