MySQL servers are being targeted by the 'Ddostf' malware botnet to enslave them for a DDoS-as-a-Service platform whose firepower is rented to other cybercriminals. This campaign was discovered by researchers at the AhnLab Security Emergency Response Center during their regular monitoring of threats targeting database servers. ASEC reports that Ddostf's operators either leverage vulnerabilities in unpatched MySQL environments or brute-force weak administrator account credentials to breach the servers. Exploitation of UDF. The attackers are scanning the internet for exposed MySQL servers and, when found, attempt to breach them by brute-forcing administrator credentials. For Windows MySQL servers, the threat actors use a feature called user-defined functions to execute commands on the breached system. UDF is a MySQL feature that allows users to define functions in C or C++ and compile them into a DLL file that extends the capabilities of the database server. The UDF abuse facilitates loading the primary payload of this attack, the Ddostf bot client. It can also potentially allow other malware installation, data exfiltration, creation of backdoors for persistent access, and more. Ddostf is a malware botnet of Chinese origin, first spotted in the wild roughly seven years ago, and targets both Linux and Windows systems. On Windows, it establishes persistence by registering itself as a system service upon first running and then decrypts its C2 configuration to establish a connection. The malware profiles the host system and sends data such as CPU frequency and number of cores, language information, Windows version, network speed, etc. To its C2. The C2 server may send DDoS attack commands to the botnet client, including SYN Flood, UDP Flood, and HTTP GET/POST Flood attack types, request to stop transmitting system status info, switch to a new C2 address, or download and execute a new payload. ASEC comments that Ddostf's ability to connect to a new C2 address makes it stand out from most DDoS botnet malware and is an element that gives it resilience against takedowns. The cybersecurity company suggests that MySQL admins apply the latest updates and pick long, unique passwords to protect admin accounts from brute force and dictionary attacks. Mozi malware botnet goes dark after mysterious use of kill-switch. How DDoS attacks are taking down even the largest tech companies. IPStorm botnet with 23,000 proxies for malicious traffic dismantled. Socks5Systemz proxy service infects 10,000 systems worldwide. Mirai DDoS malware variant expands targets with 13 router exploits.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000