Request a demo
BLOG

Incredibly simple…yet effective. Zhadnost botnet relies on Open Proxies and DNS Resolvers.

By Ryan Slaney, Staff, Threat Researcher
04/21/2022

Executive Summary and Key Insights

  • SecurityScorecard’s Threat Research and Intelligence team has discovered that the Zhadnost botnet infrastructure consists of open proxies and DNS resolvers that can be found in lists published online, or by using tools that require little technical skill. Once the list of bots is complete, the threat actor must only launch a simple script to kick off HTTP or DNS Amplification DDoS attacks against any target.

  • Zhadnost MikroTik bots do not need to be vulnerable to CVE-2018-14847; they simply need to be running an open HTTP or SOCKS proxy. However, it is possible that a threat actor previously exploited CVE-2018-14847 to enable the proxy in the first place.

  • Attributing Zhadnost and the DDoS attacks to any one threat actor is difficult, however, SecurityScorecard’s Threat Research and Intelligence team assesses with moderate confidence that Russia, or Russian-aligned actors, are likely behind the use of the Zhadnost botnet.

  • Based on prior history of Russian attacks, the next play in the Russian cyber threat actor playbook would be the deployment of wiper-style attacks, possibly against critical infrastructure and government targets in countries seeking NATO membership.

  • Some Zhadnost MikroTik bots have been previously compromised by Mēris. We assess with moderate confidence that the overlap with the Mēris botnet is simply a coincidence. Given that both botnets rely heavily on MikroTik devices, it’s an eventuality that Zhadnost would use a proxy on a MikroTik device previously compromised by Mēris.

  • So far, Zhadnost has not used Russian, or Belarussian-based IP addresses as bots.

Outlook

As mentioned in SecurityScorecard’s (SSC) previous Zhadnost blog posts (part one and part two), the DDoS attacks against Ukrainian and Finnish websites do not appear to have a lasting impact, as the sites were back online within hours of the attack. SecurityScorecard assesses with moderate confidence that the goal of using the Zhadnost botnet has become less about denying service and more about serving a warning to NATO members, and countries such as Sweden and Finland, who are seeking membership in the organization. As these countries continue down the path of obtaining full NATO membership, SSC assesses with moderate confidence that cyber attacks will not only continue, but escalate. If history were to repeat itself, the next play in the Russian cyber threat actor playbook would be the deployment of wiper-style attacks, possibly against critical infrastructure and government targets.

Recommendations

  • It is critical to put DDoS mitigations in place, via a service like Cloudflare, Akamai, or AWS Cloudfront. Having a firewall will not stop the volume of traffic we have observed during a Zhadnost DDoS attack.

  • Furthermore, blocking Russian IPs will not stop DDoS attacks. The attacks are coming from across the world leveraging exploited devices located within neutral countries in Latin America, EU (not Russia or Belarus), and southeast Asia. Actively blocking known open proxies listed publicly would help limit the effectiveness of the attack, but may also end up blocking users who legitimately use these services.

  • It’s important that DNS Resolvers are configured to only accept requests from internal IP addresses, unless there is a practical reason not to do so.

Background

As mentioned in SecurityScorecard’s previous Zhadnost research blogs, linked in the previous section, our Threat Research and Intelligence team has discovered that the majority of Zhadnost bots are MikroTik routers. MikroTik routers have a history of vulnerabilities that allow threat actors to use them for DDoS attacks and other malicious purposes. In 2021, Yandex/Qrator Labs reported that 90 to 95% of the bots in a newly discovered botnet called Mēris were MikroTik devices. Later in 2021, NetScout reported that another botnet called Dvinis also resided on the same exploitable MikroTik devices. These botnets mostly exploited CVE-2018-14847, which allows unauthenticated remote attacks to read and write files on the router. Once compromised, the routers can be used for DDoS attacks, command and control, eavesdropping, and many other malicious purposes.

CVE-2018-14847

During our technical analysis of individual bots in the Zhadnost botnet, SSC discovered that some of the Zhadnost MikroTik bots are still vulnerable to CVE-2018-14847. Using a simple Python script found on GitHub, a request to a vulnerable MicroTik router on port 8291 would return user credentials in plain text. These credentials could then be used to log on to the router from an external IP address, giving the threat actor complete control of the router. This could explain how the threat actor behind Zhadnost was able to take control of these routers and use them as bots; however, vulnerable bots only represent a very small portion of Zhadnost, therefore, there had to be another way.

SecurityScorecard then focused on MikroTik’s ability to run Web (HTTP) and SOCKS proxy services. What we discovered was that all the Zhadnost MikroTik bots were running one or both of these services. SSC was successfully able to curl through these proxies without any authentication.

Image 1. Successful curl through HTTP and Socks proxy on Zhadnost MikroTik bot. (Source: SSC)

Additionally, the Zhadnost bots we had identified as Squid Proxies were also accessible without credentials, and we were able to curl through them successfully as well.

Image 2. Successful curl through Zhadnost Squid Proxy bot. (Source: SSC)

We also discovered several websites that contained large lists of open proxies, such as spys.one and proxydb.net, the former of which is interesting since it allows proxies to be filtered to MikroTik and Squid Proxy services. Additionally, it offers both an English and Russian language interface. It is important to note that there is no evidence that spys.one or proxydb.net are implicit with the Zhadnost botnet, but they are examples of websites containing lists of open proxies that can be used by threat actors.

Image 3: List of thousands of open proxies on MikroTik devices. (Source: spys.one)


Most of the Zhadnost bots can be found in spys.one’s database. The few that are not all have proxies on the bot’s subnet/16 or subnet/24. SecurityScorecard assesses with moderate confidence that this discrepancy is due to the proxy being behind a gateway on the same subnet.

Image 5: Listing of Zhadnost bot on spys.one. (Source: spys.one)

Sometimes this simplest answer is the right answer. SecurityScorecard assesses with moderate confidence that Zhadnost is made up of open proxies and DNS resolvers that can be found in lists published online. The threat actor can pick and choose bots from these lists, and write simple scripts to kick off HTTP or DNS Amplification DDoS attacks against any target. Given that spys.one alone lists nearly 15,000 MikroTik open proxies, this represents a vast infrastructure of potential bots Zhadnost actors could choose from. Although most Zhadnost bots do not appear to be vulnerable to CVE-2018-14847, we can not rule out that a threat actor may have previously exploited CVE-2018-14847 to turn the proxies on in the first place.

Image 4. Location and density of MikroTik devices. (Source: SSC Attack Surface Intelligence)

Open DNS Resolvers

As we reported in our first blog post in this series, the Zhadnost botnet conducted two DDoS attacks on Ukrainian websites using DNS amplification. All of the bots we identified in these attacks had DNS recursion enabled on port 53 and 84% of them could be identified as MikroTik devices. According to MikroTik’s website, every MikroTik that has the “Allow-Remote-Requests” feature turned on is a potential attack vector, representing a 1:179 bandwidth amplification factor. This feature is turned on by default.

SecurityScorecard did not find any public lists that specifically detailed open DNS resolvers on MikroTik devices. However our research team is aware of tools and paid services that offer the capability to identify open DNS resolvers, but they are not specific to MikroTik devices. Metasploit’s DNS Amplification Scanner module can be used to discover DNS servers which expose recursive name lookups that can then be used in an amplification attack against a third party. It is possible that Zhadnost relied on one of these methods to create its inventory of DNS resolvers, but SecurityScorecard can not conclusively make this determination.

An alternate theory is that, given Zhadnost’s tendency for simplicity, Zhadnost just assumed that any MikroTik device running an open proxy also had DNS recursion enabled, and thus simply chose bots from the same list of MikroTik devices. Again, SecurityScorecard can not conclusively determine if this is the case.

Overlap with Mēris Botnet

While investigating Zhadnost bots, we came across some that had clear indications that they had been previously compromised by Mēris. We discovered tasks in the router’s scheduler application that would instruct the router to download data from the following domains at specific times during the day:

  • Myfrance.xyz

  • Bestony.club

  • Specialword.xyz

  • Portgame.website


All of these domains are known IoCs of the Mēris botnet and are part of the list of domains that MikroTik advised should be blocked.

Image 6: Mēris botnet IoCs on MikroTik router (Source: SSC)

Attribution

Attributing Zhadnost to a specific threat actor is difficult, given that the bots aren’t solely owned by Zhadnost threat actors. Rather, they are legitimate network devices running open proxy services that could be used by anyone with limited technical knowledge. Many botnets rely on compromised MikroTik devices, and individual bots can be used by more than one botnet. Avast recently reported vulnerable MikroTik routers “resemble a war field, where various attackers are fighting for the device, overwriting each other’s scripts with their own.” Avast discovered a control panel which it linked to both a crypto mining and Glupteba malware campaign and then suggested it was likely that both campaigns relied on a botnet-as-a-service. The control panel itself would automatically switch to Russian language and indicated it was in control of nearly 230,000 devices. It also contained VPN configurations for MikroTik routers.

Taking into account the current geopolitical factors, and considering which country is likely to gain from Zhadnost attacks, SecurityScorecard continues to assess with moderate confidence that Russia–or Russian-aligned actors–are likely behind Zhadnost.

Indicators of Compromise

Please contact [email protected] for IoCs associated with the Zhadnost botnet, or with any questions or comments.

SecurityScorecard’s threat intelligence could be the competitive advantage your company needs to stay ahead of today’s fast-moving threat actors. If your company would like to access the expertise of SecurityScorecard’s Threat Research and Intelligence team, please contact [email protected].


Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

Social-linkedin Twitter Instagram Youtube