Massive Botnet Takes Control of Smart TVs for Prime-Time Cybercrime

 

Updated: Security researchers have identified a DDoS botnet that has infected potentially millions of smart TVs and set-top boxes, linking it to an eight-year-old cybercrime syndicate known as Bigpanzi.

At its peak, the campaign saw at least 170,000 bots operating daily after infiltrating Android-based TVs and other streaming devices through pirated apps and firmware updates.

The typical infection scenario involves users visiting dubious streaming sites on their smartphones, leading them to download associated malicious apps onto their Android-based smart TVs. Once infected, these devices become backdoored, making their resources available for various cybercrimes, including DDoS attacks and hijacking other streams to replace content with the attacker's material.

In a notable incident in December 2023, regular broadcasts in the United Arab Emirates were hijacked, showcasing imagery from the conflict between Israel and Palestine.

Security firm Qianxin's researchers expressed concern about the potential for Bigpanzi-controlled devices to broadcast violent or inappropriate content, posing a significant threat to social order and stability. They noted that such devices could even employ increasingly convincing AI-generated videos for political propaganda.

While the researchers did not provide a detailed history of the botnet's DDoS activities or attribute it to any high-profile attacks, they revealed that its DDoS commands are inherited from the notorious Mirai malware.

The malware, named pandoraspear, has evolved over time, adding 11 different Mirai-related DDoS attack vectors to its list of commands. Mirai, infamous for high-profile DDoS attacks in 2016 on Dyn, GitHub, Reddit, and Airbnb, continues to be active and under development.

Qianxin's investigation pointed to Bigpanzi and the pandoraspear malware being active since at least 2015. Efforts to trace Bigpanzi are ongoing, with the ultimate goal of delivering a decisive strike against the cybercrime syndicate.

Bigpanzi's primary focus has been in Brazil, particularly São Paulo, where the majority of the 170,000 bots were identified during the campaign's peak. The scale of the botnet became apparent when two of its nine domains expired, allowing researchers to register them and gain insights into its operations.

The researchers encountered aggressive retaliation from the cybercriminals when they hijacked the domains, including DDoS attacks and manipulation of infected device host files to redirect domain names. Despite challenges, the researchers aim to continue their work in understanding and combatting Bigpanzi.

As the researchers emphasize, their findings represent only a fraction of what Bigpanzi entails, and collaboration with the cybersecurity community is essential to comprehensively address the threat posed by this cybercrime group. Together, there is an opportunity to contribute to maintaining cybersecurity in the face of evolving threats like Bigpanzi.

Related Queries

low orbit ion cannon

which of the following is a configuration vulnerability?

what is android tv

which type of threat actor would benefit the most from accessing your enterprise's new machine learning algorithm research and development program?

a user enters a web address in a browser, and a request for a file is sent to a web server. which of the following best describes how the file is sent back to the user?

social engineering is a means of eliciting information by relying on the weaknesses of individuals. how should you differentiate between the social engineering techniques of phishing and pharming?

which of the following is the most common method for delivering malware?

your company recently purchased routers with new and updated features and deployed them in the highly secure enterprise network without changing the default settings. a few days later, the enterprise network suffered a data breach, and you are assigned to prepare a report on the data breach. which of the following vulnerabilities should you identify as the source of the breach?

threat actors focused on financial gain often attack which of the following main target categories?

hacktivists and state actors are huge threats to government systems. what is the main difference between hacktivists and state actors?

which of the following is a physical social engineering technique?is vizio an android tv

meris ddos botnet

a user is able to access privileged administrative features with an account that is not granted administrator rights. which type of vulnerability is this?

we have detected that your router/modem may be compromised and part of the meris ddos botnet, or you are using a proxy associated with past meris attacks. this page checks to see if it is really a human sending the requests and not an attack.

botnet ddos