A malicious actor has irreparably destroyed his own botnet with nothing more than a typo.
Cybersecurity firm Akamai caught the bug in KmsdBot, a cryptomining botnet that also had Distributed Denial of Service (DDoS - opens in a new tab) capabilities, before recently crashing and reporting an "index out of order" bug. range".
Akamai researchers were monitoring the botnet when an attack occurred on a crypto-focused website. At that exact moment, the threat actor "forgot" to put a space between an IP address and a port in a command and sent the command to every KmsdBot worker instance. This caused most of them to fail and, given the nature of the botnet, it remained inactive.
No persistence botnet
The botnet is written in Golang and has no persistence, so the only way to make it work again would be to re-infect all the machines that make up the botnet.
Speaking with DarkReading, Larry Cashdollar, Akamai's senior security intelligence response engineer, said that almost all KmsdBot activity tracked by the company has ceased, but added that threat actors may attempt to re-infect endpoints again. Reporting on the news, Ars Technica added that the best way to defend against KmsdBot is to use public key authentication for secure shell logins, or at least improve login credentials.
According to Akamai, the default target of the botnet is a company that builds Grand Theft Auto's private online servers, and while it was able to mine cryptocurrency for the attackers, this feature was not executed during the investigation. Instead, it was the DDoS activity that was taking place. In other cases, he has targeted security companies and luxury car brands.
The company first detected the botnet in November of this year when it brute-forced systems with weak SSH credentials.