Researchers recently reported a massive DDoS campaign involving Pink botnet that had infected millions of devices. It is touted as the largest botnet observed in the last six years.

What do we know?

The botnet was dubbed Pink based on a sample obtained in 2019, which contained a large number of function names starting with ‘pink.’
  • When at its peak, the Pink botnet had impacted more than 1.6 million devices with roughly 96% of devices in China.
  • It has been used to launch over 100 DDoS attacks to date.
  • Besides launching DDoS attacks, actors insert advertisements into HTTP websites of unaware users.
  • With a robust architecture, Pink targets mainly MIPS-based fiber routers.

While most of the devices have been corrected and restored, the botnet is still said to be active with nearly 100,000 nodes.

What makes it unique?

  • Criminals used a combination of third-party services, such as P2P, GitHub, and central C2s for their bots to controller communications.
  • To retain control over the infected devices, despite the vendor making repeated attempts to fix the problem, actors made several real-time updates on the fiber routers.
  • Pink also adopted DNS-Over-HTTPS (DoH).

The way hackers are leveraging DDoS threats has transformed lately. It is also now been used as a backup tool for threatening victims and businesses are being warned.

DDoS threat warnings

In the past two weeks, authorities in the U.S. and the U.K raised alerts against similar campaigns.
  • Last week, the FBI released a flash warning against the HelloKitty ransomware group that is now threatening to conduct DDoS attacks on its victims who refuse to pay the ransom.
  • Prior to it, the Comms Council U.K warned businesses in the VoIP market against rising coordinated DDoS extortion campaigns by international cybercriminal groups.

Latest victims of DDoS attacks

There were massive attacks across the globe in the past few weeks with adversaries engulfing and compromising some renowned brands and services.
  • South Korea's telecom carrier KT suffered a temporary nationwide shutdown in the wake of a massive DDoS attack on its network.
  • Three email providers, Norway-based Runbox, Germany-based Posteo, and Australia-based Fastmail, reportedly suffered large-scale DDoS attacks, with Posteo also facing a ransom demand. Separately, U.K VoIP provider Voipfone and gaming server provider Sparked also witnessed similar DDoS attacks.
  • In September, an attack on Bandwidth.com crippled dozens of companies by causing nationwide outages for the VoIP facility.
  • Another notable incident from the month was the attack involving the Meris botnet that compromised a huge number of MikroTik routers.

Summing up

Pink has been thriving on a zero-day flaw in broadband devices by Asian manufacturers. Security leaders and teams must patch this flaw and help curb the spread of this botnet. Apart from that, DDoS attacks are breaking records. Organizations need to have an incident response plan involving DDoS mitigation measures.

Cyware Publisher

Publisher

Cyware