A vast botnet comprised of 70,000 Android devices has been blamed by security researchers for a string of DDoS attacks conducted over the past few weeks.
Experts from cyber security organisations including RiskIQ, Flashpoint, Akamai, Cloudflare, Team Cymru, Oracle Dyn, Google and others joined forces to combat the botnet, dubbed WireX.
Similar to the Mirai attacks of last year, WireX used a network of malware-infected devices to flood targets with legitimate-looking HTTP requests, knocking them offline through the sheer volume of traffic.
Rather than IoT and networking devices, however, this attack was carried out using compromised Android phones. Researchers estimated that the botnet contained at least 70,000 devices in over 100 countries, although senior Akamai engineer Chad Seaman told security expert Brian Krebs that the figure could be much higher.
While researchers estimate that WireX could have been active from 2 August, the bulk of attacks did not start until 15 August, catching the attention of the security community a couple of days later on 17 August.
"These discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms," said a joint blog post published by Akamai, Flashpoint, Cloudflare and RiskIQ. "Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery."
The researchers warned that keeping a DDoS attack quiet is almost impossible, and said victims should reach out for help rather than trying to pretend that everything is running smoothly.
"The best thing that organisations can do when under a DDoS attack is to share detailed metrics related to the attack," the blog post noted. "With this information, those of us who are empowered to dismantle these schemes can learn much more about them than would otherwise be possible."
According to the post-mortem report issued by the security companies involved, the malware masqueraded as seemingly-legitimate apps, including storage managers, ringtone apps and video players.
Many were downloadable only from third-party app stores, but roughly 300 of the malicious apps were hosted on the Google Play Store. Google has now removed these apps from its store, and is in the process of remotely wiping them from users' devices.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Horabot campaign targeted businesses for more than two years before finally being discoveredNews The newly-discovered Horabot botnet has attacked companies in the accounting, investment, and construction sectors in particular
-
Brand-new Emotet campaign socially engineers its way from detectionNews This latest resurgence follows a three-month hiatus and tricks users into re-enabling dangerous VBA macros
-
Microsoft says “it’s just too difficult” to effectively disrupt ransomwareNews The company details its new approach to combatting cyber crime as the underground industry drains $6 trillion from the global economy
-
Beating the bad bots: Six ways to identify and block spam trafficIn-depth Not all traffic is good. Learn how to prevent bad bots from overrunning your website
-
Ukraine's vigilante IT army now has a DDoS bot to automate attacks against RussiaNews The 270,000-strong IT Army of Ukraine will now combine supporters' cloud infrastructure to strengthen the daily attacks against their invaders
-
Microsoft's secure VBA macro rules already being bypassed by hackersNews Recent analysis of Emotet activity has revealed a shift away from malicious Office documents to drop malware
-
Emotet infrastructure has almost doubled since resurgence was confirmed
News Researchers confirm the infrastructure has also been upgraded for a "better secured", more resilient operation
