Some of the most well-known and damaging types of hacking are Distributed Denial of Service (DDoS) attacks. They take down important systems in seconds and usually take hours to fix. The sheer number of devices connected to WiFi globally has resulted in increasingly severe attacks, an unintended consequence. Malicious people have moved on from small groups of bots to attacks that affect people all over the world. The evolution of the new botnet Fodcha demonstrates the value of modern, adaptable DDoS protection.
First-Gen Fodcha
We discovered a new botnet variant in April 2022. Fodcha places a lot of stress on variety and scale, taking a lot of inspiration from the well-known Internet of Things (IoT) botnet Mirai.
Due to the fact that malware relies on zero-day flaws, Android and IoT devices are especially easy to hack. A number of popular flaws, like the log4shell one, are also used to test Telnet and routers. Along with focusing on weaknesses that were already there, Fodcha uses a tool that researchers have called Crazyfia. This is a brute-force tool that keeps going through common passwords. Once someone gets in, either through the front door or through smaller, less obvious security holes, the software starts to break.
The first thing Fodcha does is a simple but effective security check: it quickly looks at the device’s running settings. This determines if the device is a sandbox, which is a place where researchers can watch new types of malware. Fodcha starts the process of getting in touch with the command and control server after successfully avoiding any test equipment and verifying the legitimacy of its target. As a first step, it decrypts private setup data that includes a number of command and control systems. Fodcha writes “here we are” on the console while this decryption process is taking place, and then it connects to the master server.
To start talking to the server, you have to go through at least 5 steps. These checks show that the people who made Fodcha care about security, because once all five of them match, the approved device can start sending packets to C2. After this, the newly hired devices will wait until the server sends out more attack orders.
Fodcha was usually going after more than 100 DDoS victims every day when it was first discovered. Researchers were becoming concerned as the botnet had reached the big 7,000-strong threshold. But just around the corner was a rapid rise that even the people who found the botnet didn’t see coming.
The Evolution of a Ransom Giant
As soon as the first story about Fodcha came out, the cloud providers that ran its command and control systems shut them down. Fodcha’s owners decided to switch their command and control servers instead of letting the whole system fail. There was an update to the malware that connected the thousands of new bots to a group of mostly safe C2s. This covers more than a dozen IPs spread out in several countries, such as the US, Korea, Japan, and India. There are now a lot more cloud companies in V2’s command and control network. These include AWS, DediPath, and DigitalOcean. As a result of making security tighter, all private resources and network interactions have been encrypted so that they can’t be found at the file level.
It’s possible that Fodcha is paying for this development by renting out its firepower to other threat actors. This lets the renters start DDoS attacks that are much stronger than anything Fodcha has ever seen before. But it’s clear that the creators saw another way to make money because Fodcha’s most recent version has an extortion feature. Attackers can use this to start attacks and then demand a fee to stop them. An individual victim must pay 10 XMR (Monero), which is about $1,300, for this feature to work.
On October 11, a new high point was reached when 1,396 targets were hit in one day. A Fodcha attack that lasted for days on a healthcare organization in June, an attack on a company’s communications infrastructure in September, and a 1 terabyte-per-second attack on a global cloud service provider around the same time are all examples of attacks that have been proven to happen. The botnet currently utilizes 42 command and control domains to monitor the 60,000 daily active bot nodes.
Many of Fodcha’s targets are in China and the US, but the botnet’s reach is now worldwide, so any political or regional reason doesn’t matter. The botnet has killed people from Europe, Australia, Japan, Russia, Brazil, and Canada.
Protecting Against an Awakening Giant
A single DDoS attack can completely shut down a business. A well-placed DDoS attack can prevent you from communicating with your suppliers, users, or even other teams. It’s very important to have DDoS protection in place before an attack starts. DDoS attacks are less powerful when there is good protection in place to protect businesses and keep them online.
A change to your DNS records will help with mitigation. All of your internet traffic goes through your security service, which hides your server’s IP address and works as a safe proxy. This also makes it possible to filter all incoming data in a uniform and controlled way. Once there is a DDoS attack and millions of attack packets start to put stress on your company, the DDoS mitigation’s BGP filtering starts to work. Without having to bother real customers with annoying CAPTCHAs, slow loading times, or dull wait screens, this determines a site or app visitor’s legitimacy. The screening process at the bottom stops harmful DDoS traffic.
Your DevSecOps teams can spend less time and energy fighting DDoS attacks if they have the right DDoS protection tool in place. This then frees up security resources to work on issues that are more likely to happen in the future. Make sure your customers are happy, your coworkers are online, and your protection is strong.