Mass exploitation and DDoS attack tools emerge with powerful capabilities

Hacking is often portrayed in the media as an elite technical activity, undertaken by highly-skilled individuals. While this is certainly the case at the most advanced levels, the availability of easy-to-use tools and scripts is increasingly lowering the barrier to entry for novice hackers.

Admittedly, this is not a new phenomenon. Popular pen testing suite Metasploit was released more than a decade ago. Shodan, the search engine for internet-connected devices, has been around since 2009. Yet every so often, a piece of software is released that makes it even easier for inexperienced hackers to commit significant cyberattacks.

One of the latest such creations, Autosploit, combines Metasploit modules with Shodan data to automate the exploitation of remote hosts. Users can enter platform-specific search queries such as “Apache” or “IIS” to identify targets. Once completed, Autosploit attempts to run various Metasploit modules against them to achieve Remote Code Execution, gain Reverse TCP Shells and/or Meterpreter sessions.

Notably however, Autosploit can also run all available Metasploit modules against the targets to launch automated attacks. Consequently, it provides unskilled hackers with a new and convenient means with which to unleash powerful and indiscriminate attacks.

When the initial version was released at the end of January, several commentators noted its poor functionality and limited targeting capabilities. However, Version 2.0, released on 1 March, includes several enhancements. Users can now initiate the script using several command line arguments. Censys and Zoomeye search data has been added to the mix. Most importantly, later versions will reportedly include the ability to select custom targets and exploits.

Around the same time that Autosploit v2.0 was launched, two new proof-of-concept tools were released which could allow hackers to launch massive DDoS attacks. Both exploit misconfigured Memcached servers, a technique that has been used to generate record-breaking DDoS attacks this month. The first, measuring 1.3Tbps, targeted GitHub on 1 March. Several days later, Arbor Networks was hit with an unprecedented 1.7 Tbps attack.

In both instances, the method involved sending tiny requests to the misconfigured Memcached servers. These subsequently responded with packets that were sometimes thousands of times bigger than the initial request. By spoofing the packet’s origin IP address, the server was then tricked into sending the oversized response to an IP of the threat actor’s choice.

Given the media coverage the attacks received, it is not surprising that tools to exploit the method were released so quickly. The first, written in C (memcached.c), utilises a list of 17,000 IP addresses belonging to vulnerable Memcached servers. The second, dubbed 'Memcrashed', is a python-based script that has been updated several times since its initial release on 2 March. Like Autosploit, it utilises Shodan data, but in this case to scan for vulnerable Memcached servers. Once completed, users can immediately launch a DDoS attack against the desired target.

In each instance, the availability of these tools underscores the increasingly destructive power that can be unleashed by individuals with minimal technical skill. Some will do so intentionally, committing serious attacks that might otherwise be beyond them. Others, however, may launch attacks without fully understanding the capabilities of the tools and the potential ramifications of their use. Either way, as the number of internet-connected devices grows, the risk of serious attacks is likely to increase.