By NewsBlogger OVHcloud, a leading cloud service provider, faced a series of record-breaking DDoS attacks, including one with a packet rate of 840 million packets per second originating from compromised MikroTik devices. These attacks highlighted the increasing threat of sophisticated botnets like Zergeca and the importance of cybersecurity measures.
At a glance
- OVHcloud experienced record-breaking DDoS attacks
- Attack sizes exceeding 1 Terabit per second became common in 2024
- High packet rate attacks originated from compromised MikroTik devices
- Zergeca botnet poses new cybersecurity threat with evolving capabilities
- Companies must update systems and collaborate with experts to mitigate risks
The details
OVHcloud, a top cloud service provider, recently experienced a series of Distributed Denial of Service (DDoS) attacks. These attacks set new records in terms of volume and intensity. Earlier this year, the company successfully mitigated a record-breaking attack.
This attack reached a packet rate of 840 million packets per second.
DDoS attacks have been increasing since 2023.
In 2024, attack sizes exceeding 1 Terabit per second became more common. In the past 18 months, OVHcloud has faced multiple high bit rate and packet rate attacks.
The highest bit rate recorded during this period was 2.5 Terabits per second on May 25, 2024.
These attacks were especially impactful due to using Mikrotik Core network devices. This made the attacks more difficult to detect and mitigate.
One of the attacks OVHcloud dealt with involved a massive packet rate of 840 million packets per second. This surpassed the previous record.
The attack, known as a TCP ACK attack, originated from 5,000 source IPs. Two-thirds of the packets were routed through four Points of Presence in the U.S. Many of these high packet rate attacks originated from compromised MikroTik Cloud Core Router devices.
Nearly 100,000 Mikrotik devices were found to be reachable and exploitable over the internet.
Researchers estimate that hijacking just 1% of these exposed models could result in attacks reaching 2.28 billion packets per second.
Despite warnings to upgrade RouterOS, MikroTik devices have been used to build powerful botnets. This poses a significant cybersecurity threat.
OVHcloud informed MikroTik of its findings but has not yet received a response. Cybersecurity researchers recently uncovered a new botnet called Zergeca, which is capable of conducting DDoS attacks. This has raised concerns in the cybersecurity community.
The botnet, written in Golang, features six different attack methods and various capabilities, such as proxying, scanning, self-upgrading, and collecting sensitive device information.
Zergeca uses DNS-over-HTTPS for DNS resolution of the Command and Control (C2) server. It uses a less-known library called Smux for C2 communications. Evidence suggests that the malware is actively evolving and updating to support new commands. The C2 IP address associated with Zergeca was previously linked to distributing the Mirai botnet.
Zergeca has carried out attacks primarily utilizing ACK flood DDoS attacks. These attacks have targeted countries, including Canada, Germany, and the U.S. The botnet comprises four modules: persistence, proxy, silivaccine, and zombie.
These modules enable it to set up persistence, implement proxying, remove competing malware, and gain control over devices.
The zombie module reports sensitive information to the C2 and supports various functions, including DDoS attacks, scanning, and reverse shell.
The emergence of sophisticated botnets like Zergeca and exploiting vulnerable devices such as MikroTik routers highlight growing cybersecurity threats.
Companies must remain vigilant, update their systems regularly, and collaborate with security experts to mitigate these risks.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| securityweek.com |
|---|
| – OVHcloud mitigated a record-breaking DDoS attack earlier this year with a packet rate of 840 million packets per second – Attack sizes have been increasing since 2023, with those exceeding 1 Tbps becoming more frequent in 2024 – Multiple attacks sustained high bit rates and packet rates over extended periods in the past 18 months – The highest bit rate recorded by OVHcloud during that period was 2.5 Tbps on May 25, 2024 – Core network devices, particularly Mikrotik models, were extensively used in attacks, making them more impactful and challenging to detect – OVHcloud had to mitigate a massive packet rate attack that reached 840 Mpps, surpassing the previous record holder – The TCP ACK attack originated from 5,000 source IPs, with two-thirds of the packets routed through four Points of Presence in the United States – Many high packet rate attacks, including the record-breaking one from April, originated from compromised MikroTik Cloud Core Router devices – Nearly 100,000 Mikrotik devices were found to be reachable/exploitable over the internet – Hijacking 1% of the exposed models into a botnet could result in attacks reaching 2.28 billion packets per second – MikroTik devices have been used to build powerful botnets in the past, despite warnings to upgrade RouterOS – OVHcloud informed MikroTik of their findings, but has not received a response |
| bleepingcomputer.com |
|---|
| – Cybersecurity researchers have discovered a new botnet called Zergeca capable of conducting DDoS attacks – The botnet is written in Golang and named after a string present in the C2 servers – Zergeca supports six different attack methods and has various capabilities including proxying, scanning, self-upgrading, and collecting sensitive device information – The botnet uses DNS-over-HTTPS for DNS resolution of the C2 server and a lesser-known library called Smux for C2 communications – Evidence suggests that the malware is actively developing and updating to support new commands – The C2 IP address used by Zergeca was previously associated with distributing the Mirai botnet – Attacks by Zergeca, primarily ACK flood DDoS attacks, have targeted Canada, Germany, and the U.S. – Zergeca features four modules for persistence, proxy, silivaccine, and zombie to set up persistence, implement proxying, remove competing malware, and gain control over devices – The zombie module reports sensitive information to the C2 and supports various functions including DDoS attacks, scanning, and reverse shell – The botnet shows familiarity with common Linux threats and uses evasion tactics like modified UPX packing, XOR encryption, and DoH for C2 resolution |
