Here\u2019s how simple it is for script kiddies to stand up DDoS services | CyberScoop<\/title> <meta name=\"description\" content=\"How plug-and-play hacking tools and lax configs helped a Russian script kiddie start a scheme.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/russian-hacker-script-matrix-ddos-aqua\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Here\u2019s how simple it is for script kiddies to stand up DDoS services\"> <meta property=\"og:description\" content=\"How plug-and-play hacking tools and lax configs helped a Russian script kiddie start a scheme.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/russian-hacker-script-matrix-ddos-aqua\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-11-26T11:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2024-11-25T23:42:36+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1200\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1730999764g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82732\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82732\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Frussian-hacker-script-matrix-ddos-aqua%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Frussian-hacker-script-matrix-ddos-aqua%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82732 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/russian-hacker-script-matrix-ddos-aqua\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.298429319372\">\n<div class=\"single-article__header-content\" readability=\"32.615803814714\">\n<p> How plug-and-play hacking tools and lax configs helped a Russian script kiddie start a scheme. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82732\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"400\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services.jpg?resize=640%2C400&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-2.jpg?resize=300,188 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-2.jpg?resize=768,480 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-2.jpg?resize=1024,640 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-2.jpg?resize=1536,960 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-2.jpg?resize=600,375 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-2.jpg?resize=269,168 269w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-2.jpg?resize=539,337 539w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-2.jpg?resize=1080,675 1080w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-2.jpg?resize=1349,843 1349w\" sizes=\"(max-width: 1080px) 100vw, 1080px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"48.321884984026\"><body readability=\"97.599616450032\"><\/p>\n<p>A new report from Aqua Security highlights just how easy it is for an amateur-level hacker to set up malicious services that could in turn be weaponized by much-more skillful threat actors in the future.<\/p>\n<p>The cloud security company <a href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2024\/11\/EMBARGOED_Matrix_Unleashes_Widespread_DDoS_Campaign.pdf\">detailed in a report released Tuesday<\/a> an operation to sell access to distributed denial-of-service (DDoS) tools on Telegram which was started by an apparent Russian threat actor known as \u201cMatrix,\u201d citing the code commits from a GitHub account. The threat actor, which Aqua calls a \u201cscript kiddie,\u201d spent a year creating a botnet using a mashup of open-source hacking tools while exploiting old bugs and default credentials from routers, DVRs, and other internet-connected devices.<\/p>\n<p>Assaf Morag, Aqua Natuilus\u2019 director of threat intelligence, wrote that even \u201cscript kiddies can leverage open-source tools to execute sophisticated and large-scale campaigns.\u201d<\/p>\n<p>\u201cAlthough this campaign does not use advanced techniques, it capitalizes on widespread security gaps across a range of devices and software,\u201d Morag wrote. \u201cThe campaign ultimately reflects how a lack of basic security configurations can leave devices vulnerable to extensive exploitation with minimal technical sophistication.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The result of Matrix\u2019s work is a Telegram bot dubbed \u201cKraken Autobuy\u201d that automatically offers plans paid with cryptocurrency with services ranging from \u201cBasic,\u201d to \u201cUltima,\u201d to \u201cEnterprise\u201d level DDoS attacks. Aqua researchers noted that the entire operation is made up of a mesh of various DDoS frameworks and configuration tools like the Mirai botnet, SSH scanners, python bots, and a Discord bot. Most of the code is found available online, then rewritten to work together.<\/p>\n<p>For example, the operation also uses playit.gg, a tool that makes it easy to host multiplayer games or web servers without needing to configure complex network settings, as a part of its command and control servers.<\/p>\n<p>\u201cThe true skill lies in the ability to integrate and operate these tools effectively, highlighting the growing threat posed by script kiddies with access to readily available hacking resources,\u201d Morag wrote.<\/p>\n<p>Aqua Security initially discovered the campaign when a hacker attempted to add one of their honeypots to the botnet. While it\u2019s not clear just how many devices make up the botnet, Morag has seen Matrix offer botnet services on cybercriminal forums. He also said that if one percent of the 35 million devices targeted by the hacker are vulnerable, the botnet could reach up to 350,000 compromised devices for rent.<\/p>\n<p>The devices include routers and devices from companies such as Huawei, ZTE, and TP-Link, Linux distributions like uClinux with insecure default configurations, among others. Most of these devices may have escaped notice if not for a lack of \u201cfundamental security practices\u201d the report notes.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>While DDoS attacks might not appear highly sophisticated, a script kiddie\u2019s ability to carry out these types of attacks by using readily available tools underscores the challenges in securing those same devices against exploitation by more formidable state-sponsored threats, like China\u2019s targeting of vulnerable routers and internet-connected devices.<\/p>\n<p>Morag noted that Matrix appears to be based in Russia, but largely appears to target China and Japan based on those countries\u2019 widespread adoption of IoT devices. Additionally, neither the U.S. or Ukraine are high on the target lists, which Morag wrote indicates that \u201cmotivations are strongly tied to financial gain rather than any patriotic sentiment.\u201d But Matrix is just one of a smaller group of lone actors that target insecure internet-connected devices, which are essentially free playthings for malicious actors everywhere.<\/p>\n<p>The U.S. government has warned about vulnerable routers, including as recently as September as Chinese threat actors continue to target these devices to create a worldwide botnet for malicious activity. U.S. officials <a href=\"https:\/\/www.nsa.gov\/Press-Room\/Press-Releases-Statements\/Press-Release-View\/Article\/3909590\/\">said that the botnet<\/a> grew to over 26,000 devices and spanned the globe by June 2024 before being taken down. <\/p>\n<p>Russian hacktivists have also used DDoS attacks against critical infrastructure. In July, the Treasury Department <a href=\"https:\/\/home.treasury.gov\/news\/press-releases\/jy2473\">sanctioned members of the Cyber Army of Russia Reborn<\/a>, a pro-Russian group with ties to military intelligence, which used DDoS against U.S. critical infrastructure. <\/p>\n<p>But while Beijing\u2019s state-backed hackers may have access to some of <a href=\"https:\/\/cyberscoop.com\/china-hacking-talent-xi-jinping-education-policies\/\">the most secretive vulnerabilities and zero-days<\/a>, Matrix chose to use years-old vulnerabilities: password sprays of admin:admin logins or misconfigured devices that can be easily found to add to their botnet.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.6305732484076\">\n<div class=\"author-card\" readability=\"9\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services-1.jpg?w=640&ssl=1\" alt=\"Christian Vasquez\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Christian Vasquez<\/h4>\n<p> Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out: christian.vasquez at cyberscoop dot com <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/russian-hacker-script-matrix-ddos-aqua\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here\u2019s how simple it is for script kiddies to stand<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[271,282,78,174,3175,281,3122,256,270,3176,288],"tags":[277,286,86,178,3177,285,3127,262,276,3178,294],"class_list":["post-6401","post","type-post","status-publish","format-standard","hentry","category-china","category-cybercrime","category-cybersecurity","category-ddos","category-ddos-for-hire","category-hacking","category-japan","category-research","category-russia","category-telegram","category-threats","tag-china","tag-cybercrime","tag-cybersecurity","tag-ddos","tag-ddos-for-hire","tag-hacking","tag-japan","tag-research","tag-russia","tag-telegram","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ddos\/\" rel=\"category tag\">DDoS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ddos-for-hire\/\" rel=\"category tag\">DDoS-for-hire<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/japan\/\" rel=\"category tag\">Japan<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/telegram\/\" rel=\"category tag\">telegram<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6401","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6401"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6401\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6401"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6401"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6401"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6401,"date":"2024-11-26T05:00:00","date_gmt":"2024-11-26T11:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82732"},"modified":"2024-11-26T05:00:00","modified_gmt":"2024-11-26T11:00:00","slug":"heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/11\/26\/heres-how-simple-it-is-for-script-kiddies-to-stand-up-ddos-services\/","title":{"rendered":"Here\u2019s how simple it is for script kiddies to stand up DDoS services"},"content":{"rendered":"