Brazilian Anti-DDoS Firm Identified as Hub for Attacks on Local Network Operators
Evidence from an exposed archive links Huge Networks to a massive botnet campaign, though the company claims the activity resulted from a security breach.
Primary source: Krebs on Security. Full source links and update notes are below.
Fast summary
Start here
- An exposed online archive contained private SSH keys belonging to the CEO of Huge Networks alongside malicious Python-based attack scripts.
- The botnet targeted vulnerable TP-Link Archer AX21 routers and leveraged unmanaged DNS servers to conduct reflection and amplification attacks.
- Huge Networks' CEO claims the malicious activity was likely a competitor's attempt to tarnish the company's image following a security breach.
What happened
Huge Networks, a Brazilian technology firm specializing in DDoS protection, has been identified as a primary enabler of a botnet responsible for massive attacks against other Brazilian ISPs. For several years, security experts tracked these digital sieges without a clear origin until a trusted source discovered an exposed archive in an open online directory. This archive contained Portuguese-language malicious programs and private SSH authentication keys belonging to the firm's chief executive.
What's new in this update
The discovery of the leaked archive has provided direct evidence of how the threat actor maintained root access to Huge Networks' infrastructure. The leaked files include a command-line history detailing the creation of a botnet that mass-scanned the internet for insecure routers and unmanaged DNS servers. While the firm has historically lacked public abuse complaints, the Python scripts found in the archive invoke multiple IP addresses assigned to Huge Networks to execute DDoS campaigns.
Key details
The botnet specifically sought out TP-Link Archer AX21 routers vulnerable to CVE-2023-1389, an unauthenticated command injection flaw. Once compromised, these devices were used to perform DNS reflection attacks. By sending spoofed queries to misconfigured DNS servers, the attackers could amplify the size of their traffic by 60 to 70 times, overwhelming targets. Control servers for the botnet were linked to domains previously flagged for Mirai malware variants.
Background and context
Founded in 2014, Huge Networks evolved from a game server protection provider into an ISP-focused DDoS mitigation firm. Based in Miami but with operations centered in Brazil, the company is a major player in the regional network security market. The recent attacks identified in the investigation were strictly limited to Brazilian targets, suggesting a localized or competitive motivation for the campaign.
What to watch next
The CEO of Huge Networks has attributed the malicious activity to a security breach and suggested a competitor may be framing the company. Future developments will likely involve forensic audits of the firm's infrastructure to determine if the botnet was an internal operation or the result of a long-term unauthorized compromise by an external threat actor.
Why it matters
The subversion of a DDoS mitigation firm to launch the very attacks it is designed to prevent poses a significant threat to regional network stability and industry trust.
Read next
Follow this story through the topic hub, more security coverage, and the latest updates.
Weekly briefing
Get the week's key developments in one concise email.
Get a fast catch-up on the biggest stories, the context behind them, and the links worth your time.
Cadence
Weekly, for a quick catch-up
Coverage
AI, business, world, security, sports
Format
Clear takeaways and useful context
Request the briefing
Leave your email to open a prepared request and get on the list for the weekly briefing.
Author
See who assembled this story and follow more of their work.
Sources and methodology