Two botnets have been attempting to infect victims globally by exploiting vulnerabilities in modems, routers, and IoT devices. These botnets, identified as Enemybot and Fodcha, are capable of carrying out DDoS attacks.
About Enemybot
- In its initial states of infection, Enemybot drops a message in a file claiming its attributions to the Keksec group.
- Enemybot comes with string obfuscation while its C2 server hides behind Tor nodes making it challenging to control its movement.
- The bot attempts to exploit multiple vulnerabilities, including CVE-2020-17456, CVE-2018-10823, CVE-2022-27226, CVE-2022-25075, CVE-2018-20062, CVE-2017-18368, and CVE-2016-6277.
About Fodcha
Fodcha botnet has been targeting routers, DVRs, and servers to infect more than 100 victims every single day in DDoS attacks.
- This botnet has already spread to over 62,000 devices (having unique IPs) between March 29 and April 10, and the daily active bots under its control fluctuate from 10,000 to 56,000 devices.
- Most bots are found using the services belonging to China Unicom (59.9%) and China Telecom (39.4%).
- The devices and vulnerabilities targeted by Fodcha include Android ADB Debug Server RCE, CVE-2021-22205, CVE-2021-35394, MVPower DVR, LILIN DVR, ZHONE, and TOTOLINK routers.
Conclusion
The recent botnet attacks show the growing problem of unpatched devices and services in a network. The best and most basic way to stop/avoid such attacks is to patch any exploitable vulnerabilities. Further, you can also perform a manual hard reset and change the password of the infected device.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock-465479341.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/78e5_shutterstock_730570690.jpg)
