The Commercialization of DDoS: Insights from Aquabotv3

The cybersecurity landscape is constantly evolving, and nowhere is this more evident than in the realm of DDoS attacks. Akamai’s Security Intelligence and Response Team recently uncovered Aquabotv3, a new variant of the Mirai botnet that specifically targets Mitel phone systems. While new botnet variants emerge regularly, this discovery highlights several concerning trends that deserve our industry’s attention. 

First, let’s examine what makes Aquabotv3 technically noteworthy. The malware exploits a command injection vulnerability (CVE-2024-41710) in Mitel’s 6800, 6900, and 6900w series phones. What sets it apart is its ability to notify its command-and-control infrastructure when detection occurs – a capability not previously seen in Mirai variants. While this feature’s purpose remains unclear, it could serve multiple functions: monitoring botnet health, studying defensive measures, or detecting competing botnets.

However, the technical aspects of Aquabotv3 tell only part of the story. What’s particularly concerning is how it represents the broader commercialization of cybercrime. The operators behind this variant are openly advertising their DDoS-as-a-service offerings on Telegram under various names, including “Cursinq Firewall,” “The Eye Services,” and “The Eye Botnet.” This brazen marketing approach demonstrates how cybercrime has evolved from the domain of skilled hackers into a commercial service available to anyone willing to pay.

The timing of this discovery is significant. Just last week, Cloudflare reported mitigating the largest DDoS attack ever recorded – a 5.6 terabits per second assault launched by a Mirai variant against an Asian ISP. This attack, originating from more than 13,000 IoT devices, represents the kind of massive-scale disruption that becomes possible when sophisticated attack tools fall into more hands. The fact that Cloudflare’s autonomous systems could mitigate this attack without human intervention is commendable, but it also underscores the arms race between attackers and defenders.

The statistics paint a sobering picture. DDoS threats increased by 53% in 2024 compared to 2023, with a staggering 1,885% surge in “hyper-volumetric” attacks exceeding 1 Tbps between Q3 and Q4 2024. These numbers reflect not just the persistence of DDoS attacks, but their evolution into increasingly powerful weapons capable of disrupting critical infrastructure.

We’re seeing this impact firsthand. The recent DDoS attack on NTT Docomo disrupted services for Japan’s largest mobile operator, affecting 90 million subscribers and demonstrating how these threats can impact essential telecommunications services. As critical infrastructure becomes more connected, the potential impact of such attacks grows exponentially.

Our industry finds itself at a critical juncture. While foundational security practices remain essential – particularly proper device management and configuration – we must also adapt to this new reality of commercialized DDoS attacks. The sophistication of these attacks, combined with their increasing accessibility, demands a matching evolution in our defensive capabilities. 

The discovery of Aquabotv3 reinforces what our industry has long understood: threat actors are innovative, resourceful, and increasingly business-oriented. Through continued collaboration and research, as demonstrated by the teams at Akamai, Cloudflare, and our own Threat Research Team, we’re building a deeper understanding of these evolving threats. This knowledge sharing is vital as we develop the next generation of defense mechanisms against an increasingly commercialized threat landscape. 

I encourage you to review these and our technical analyses of Mirai variants and share your thoughts on how our industry can collectively address these evolving threats. The conversation around DDoS defense must evolve as rapidly as the threats themselves. 

Share the Post: