Unmasking the Botnet: How a Brazilian DDoS Protection Firm Became the Attacker

In a shocking revelation, a Brazilian company specializing in defending networks from distributed denial-of-service (DDoS) attacks was itself used as a platform to launch massive DDoS assaults against other Brazilian internet service providers (ISPs). Security researchers uncovered a cache of malicious tools and private SSH keys belonging to the CEO of Huge Networks, a Miami-founded firm with operations in Brazil. This discovery exposed a botnet that had been wreaking havoc on Brazilian ISPs for years, prompting questions about how a cybersecurity firm could be turned into a weapon. The CEO claims the breach was orchestrated by a competitor to damage his company's reputation. Let's dive into the details.

What is the key finding about Huge Networks and DDoS attacks on Brazilian ISPs?

Security experts have long observed a series of massive DDoS attacks targeting Brazilian ISPs, but the source remained mysterious until a leaked archive shed light. The archive contained Portuguese-language Python malware and the private SSH authentication keys of Huge Networks' CEO. This evidence indicates that a threat actor had root access to Huge Networks' infrastructure and used it to build a potent botnet. The botnet exploited insecure routers and misconfigured DNS servers across the internet to amplify attacks. Despite Huge Networks' role as a DDoS mitigation provider, its own systems were compromised, turning it into an unwitting attacker. The attacks solely targeted Brazilian ISPs, suggesting a focused campaign by a local actor.

Unmasking the Botnet: How a Brazilian DDoS Protection Firm Became the Attacker — Source: krebsonsecurity.com

How was the botnet discovered and what evidence was found?

A trusted source shared a curious file archive discovered in an open directory online. The archive included several Portuguese-language Python scripts designed for malicious purposes, along with the private SSH keys belonging to Huge Networks' CEO. These keys provided root-level access to the company's servers. The files revealed a sophisticated setup: the attackers mass-scanned the internet for vulnerable routers and unmanaged DNS servers. By compromising these devices, they assembled a network of attack vectors. The archive also contained configuration files and logs showing previous DDoS campaigns directed at Brazilian ISPs. This digital evidence linked the botnet directly to infrastructure controlled by Huge Networks, despite the company's official stance as a defender.

What role did Huge Networks' CEO play, and what was his response?

The CEO of Huge Networks, whose identity has not been publicly disclosed, was implicated by the leaked SSH keys. However, he denies any intentional wrongdoing. In a statement, the CEO claimed that the malicious activity resulted from a security breach. He suggested that a competitor orchestrated the attack to tarnish his company's image. The CEO emphasized that Huge Networks itself was a victim of cybercrime and that they had no knowledge of the botnet operating from their systems. He also noted that the company had since secured its infrastructure and was cooperating with authorities. Despite the breach, Huge Networks continues to provide DDoS protection services, though its reputation has been damaged.

What type of DDoS attack technique was used, and how does it work?

The botnet employed a technique known as DNS amplification, a form of reflection attack. Attackers send spoofed DNS queries to misconfigured DNS servers that accept requests from anywhere. The queries are crafted to appear as if they originate from the target's IP address. When the DNS server responds, it sends a much larger reply to the target, overwhelming its bandwidth. By leveraging an extension to the DNS protocol that allows large messages, attackers can create an amplification factor of 60 to 70 times. For instance, a 100-byte request can generate a 6,000-byte response. Combined with thousands of compromised devices, this generates devastating traffic floods. This method is particularly effective because it hides the true source of the attack.

How did the attackers compromise routers and DNS servers to build the botnet?

The attackers conducted routine mass-scanning of the internet to identify insecure devices. They targeted home and small office routers with default or weak credentials, as well as unmanaged domain name system (DNS) servers that were misconfigured to answer queries from any source. Once compromised, these devices were enlisted into a botnet controlled via a command-and-control server hosted on Huge Networks' infrastructure. The Python scripts found in the archive automated the scanning and exploitation process. The botnet could then be directed to launch coordinated DDoS attacks by sending spoofed DNS queries from thousands of compromised devices. This approach allowed the attackers to remain anonymous while leveraging the resources of a known DDoS protection firm.

Why is the fact that Huge Networks is a DDoS protection firm particularly concerning?

Huge Networks positions itself as a guardian against DDoS attacks, offering mitigation services to ISPs and gaming servers. The discovery that its own systems were used to launch attacks undermines trust in the cybersecurity industry. It highlights that even defenders can become attackers if their infrastructure is compromised. This case also raises questions about the adequacy of security measures within DDoS protection companies. The irony is stark: a firm hired to stop DDoS attacks was unknowingly empowering the very threats it was meant to combat. It also suggests that attackers are targeting security providers to gain leverage. For Brazilian ISPs, this betrayal from a trusted partner could have long-lasting repercussions on their security strategies.

What steps can be taken to prevent such attacks in the future?

To prevent similar incidents, organizations should implement robust security practices, including multi-factor authentication, regular audits of SSH keys, and strict network segmentation. DDoS protection firms must treat their own infrastructure as high-value targets, conducting penetration testing and monitoring for unauthorized access. Internet service providers can reduce DNS amplification risks by configuring DNS servers to only respond to queries from trusted networks. Additionally, mass-scanning and exploitation of insecure devices can be mitigated through better router security, such as changing default passwords and disabling remote management. Collaborative threat intelligence sharing among ISPs and security firms can also help identify and neutralize botnets early. Finally, legal actions against malicious actors and increased accountability for security breaches may deter future attacks.

Tags: