Distributed Denial of Service (DDoS) attacks represent some of the most public and destructive forms of cyberattack: they tear down critical infrastructure in moments, while typically taking hours to recover from. The sheer growth in Wifi-connected devices worldwide has had an unintended consequence of fueling increasingly extreme attacks. Malicious actors have progressed from small-scale bot collections, to amplified attacks that ripple across the globe. The evolution of the new botnet Fodcha shows precisely the importance of modern and adaptive DDoS Protection.
A new form of botnet was discovered in April 2022. Taking significant inspiration from the notorious Internet of Things (IoT) botnet Mirai, Fodcha places particular emphasis on variety and scale.
Android and IoT devices are of particular weakness thanks to the malware’s reliance on zero-day vulnerabilities. Telnet and routers are also tested with a number of common vulnerabilities, such as the classic log4shell. Alongside a specific focus on pre existing vulnerabilities, Fodcha employs a tool researchers have named Crazyfia. This is a brute-force cracking program that cycles through popular login details. Once access has been granted – either through the front door or via stealthier gaps in security – the software begins its compromise.
Fodcha begins with a simple yet effective anti-security check: it quickly assesses the device’s runtime parameters. This determines whether the device is a sandbox environment, used by researchers to observe new strains of malware. Once Fodcha has successfully dodged any sandbox equipment and clarified the legitimacy of its target, it begins the process of reaching out to the command and control server. First, it decrypts sensitive configuration data, which includes a number of command and control servers. Whilst this decryption process takes place, Fodcha prints “here we are” on the console, before finally establishing communication with the overarching server.
The server demands no less than 5 steps to establish an open communication. These checks show the creators of Fodcha are somewhat security-minded, as once all 5 of these checksums match, the authorized device can begin sending packets to the C2. From here, the newly-recruited devices will sit on standby until the server issues further attack instructions.
When first discovered, Fodcha was regularly targeting over 100 DDoS victims a day. Its botnet had reached the hefty 7,000-strong mark, and researchers were beginning to show concern. Waiting round the corner, however, was an explosive growth that shocked even the botnet’s discoverers.
The Evolution of a Ransom Giant
Shortly after the first report on Fodcha, its command and control servers were shut down by their corresponding cloud vendors. Faced with the option of complete collapse, Fodcha’s operators chose to switch their command and control servers. A malware update was issued, linking the thousands of brand-new bots to a swathe of relatively secure C2s. This covers over a dozen IPs, distributed across multiple countries including the US, Korea, Japan, and India. V2’s command and control network now involves far more cloud providers, including AWS, DediPath and DigitalOcean. Following its tightening security, all sensitive resources and network communications have also been encrypted, to avoid detection at the file level.
It’s highly likely that Fodcha is funding this development by renting its firepower to other threat actors; this then allows these renters to launch uniquely powerful DDoS attacks. It’s clear the developers spotted another lucrative potential, however, as Fodcha’s latest version includes an extortion module. Thanks to this, attackers are able to launch attacks – and then demand a ransom to make it stop. This function demands a one-time payment of 10 XMR (Monero) from an individual victim; worth approximately $1,300.
This reached a new peak on October 11, as 1,396 targets were attacked in a single day. Some notable examples of confirmed attacks of Fodcha include a days-long DDoS attack against a healthcare organization in June; an attack targeting the communications infrastructure of a company in September; and a 1 terabyte-per-second attack against a global cloud service provider around the same time. The botnet now depends upon 42 command and control domains, which oversee 60,000 active bot nodes daily.
Though many of Fodcha’s targets are located in China and the US, the botnet’s reach is now global, superseding any particular geographical or political motivation. Victims span Europe, Australia, Japan, Russia, Brazil, and Canada.
Protecting Against an Awakening Giant
One DDoS attack can totally bring down an organization. Whether that’s communication with suppliers; your lifeline to customers; or even between teams, a well-placed DDoS cuts you off. It’s vital that DDoS mitigation measures are in place before an attack begins. High-quality mitigation guarantees business continuity and uptime, taking the teeth out of DDoS attacks.
Mitigation is provided via a change to your DNS records. By routing all your online traffic through your protection provider, your security solution acts as a safe proxy that masks your server’s IP address. This also allows for consistent and managed filtering for all incoming traffic. As soon as a DDoS attack hits, and your organization begins to strain under the weight of millions of attack packets, the DDoS mitigation’s BGP filtering kicks in. This determines the legitimacy of a site or app visitor, without having to pester legitimate customers with frustrating CAPTCHAs, annoying latency, or boring wait screens. On the underside of this process, the filtering process is blocking malicious DDoS traffic.
With a suitable DDoS mitigation tool in place, your DevSecOps teams are able to spend less energy and resources on battling DDoS attacks. This then frees up security resources to focus on more future-focused areas of concern. Keep your customers happy; colleagues online; and defense positioning sturdy.