Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

“Spike” DDoS Toolkit Targets PCs, Servers, IoT Devices: Akamai

Akamai’s Prolexic Security Engineering and Response Team (PLXsert) has published a new threat advisory to warn enterprises of distributed denial-of-service (DDoS) attacks leveraging a toolkit dubbed “Spike.”

Akamai’s Prolexic Security Engineering and Response Team (PLXsert) has published a new threat advisory to warn enterprises of distributed denial-of-service (DDoS) attacks leveraging a toolkit dubbed “Spike.”

According to the Internet infrastructure company, the Spike DDoS Toolkit has been used in several attacks aimed at organizations in Asia and the United States. One of the attacks observed by PLXsert peaked at 215Gbps and 150 Mpps.

The malware, which appears to have been developed by a China-based group, uses compromised machines to launch SYN floods, UDP floods, DNS query floods, and GET floods against targeted organizations.

Spike DDoS ToolkitWhile there are several threats capable of performing such attacks, Spike stands out because it can infect not only Windows machines, but also desktop and ARM-based devices running Linux. This means that the list of targeted machines includes not only PCs and servers, but also routers and Internet of Things (IoT) devices such as thermostats, fridges, lighting solutions and washers.

“The Spike DDoS toolkit contains components of a typical client-based botnet: a command and control (C2) panel, binary payloads for infection and DDoS payload builders. The C2 and the builders are Windows binaries for use by the malicious actor, while the infectious payloads were designed to target mainly Linux or other embedded devices,” PLXsert said in its advisory. “The ability of the Spike toolkit to generate an ARM-based payload suggests that the authors of such tools are targeting devices such as routers and IoT devices to expand their botnets for a post-PC era of botnet propagation.”

Pieces of malware that appear to be variants of this toolkit were analyzed earlier this year by Russian security firm Doctor Web. The company initially found only Linux versions of the malware, but in August it reported that one of the threats had been ported to Windows.

The toolkit sample analyzed by PLXsert came with a total of three payload builders: two for 32 and 64-but Linux payloads, and one for 32-bit ARM executables.

“The introduction of a multi-platform DDoS toolkit such as the Spike DDoS toolkit indicates the direction that malicious actors are taking. The ARM payload for Linux could be used to target popular embedded devices, CPEs [customer premises equipment] and Internet of Things devices; at least the subset of those devices that can be exploited and on which remote code execution can be attained,” the advisory reads.

According to Akamai, the layer 3 DDoS attacks can be mitigated by implementing access control lists (ACLs). Organizations can defend themselves against the layer 7 GET flood with the aid of a SNORT rule described in the advisory.

Advertisement. Scroll to continue reading.

This isn’t the first time Akamai has warned enterprises of DDoS attacks leveraging Linux malware. In an advisory published earlier this month, the company detailed operations relying on Linux malware dubbed IptabLes and IptabLex, with one attack peaking at 119 Gbps bandwidth and 110 Mpps.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet