Through the work of researchers atAhnLab Security Emergency Response Center (ASEC) it was possible to discover a huge network botnet.
This, called Dostfis scouring the Web for vulnerabilities on server MySQLto integrate them into a huge platform DDoS-as-a-Service at the service of cybercriminals who, according to the data collected so far, are of Chinese origin.
According to ASEC, those responsible for the campaign are looking for out-of-date MySQL environments or acting through brute force attacksexploiting administrator credentials easy to hack.
To carry out this type of attack, attackers operate through a functionality known as UDF (that is to say user-defined functions). We are talking about a feature of MySQL that allows users to define functions in C o C++ and compile them into a file DLL which allows you to extend the capabilities of the database server.
By doing so, cybercriminals can act on the compromised server in several ways. In addition to downloading the payload linked to the Ddostf infection, attackers can execute arbitrary commandsinstall others malwarecreate backdoor, exfiltration data and act in many other ways.
Ddostf targets both Linux and Windows servers: here’s how to avoid risks
Thanks to ASEC’s research, it was possible to obtain various information about Ddostf and how criminals manage the botnet. This system targets many systems Linux How much Windows and, apparently, it has been active for seven years.
Once a server is hacked, the malicious agent used sends all data related to hardware (such as CPU and its number of cores) e operating systemat the command and control center run by the hackers.
For ASEC, one of the hallmarks of Ddostf compared to many other similar operations is the ability to connect to a new address C2effectively making it one of the most fearsome malware in its sector.
Regarding this campaign, security experts wanted to recommend MySQL server administrators to be extremely cautious. In this sense, in addition to the application of latest updates availableindustry professionals also recommend the adoption of password robuste for the administrator account.