Security Firm Huge Networks Linked to Sustained DDoS Campaign Against Brazilian ISPs
Exposed files reveal that infrastructure belonging to the Brazilian DDoS protection provider was used to orchestrate attacks using compromised routers.
Primary source: Krebs on Security. Full source links and update notes are below.
Fast summary
Start here
- An exposed archive contained private SSH keys for the CEO of Huge Networks and scripts for orchestrating DDoS attacks.
- The botnet leveraged a 2023 vulnerability in TP-Link Archer AX21 routers to build its capacity through unauthenticated command injection.
- Huge Networks' CEO claims the malicious activity resulted from a security breach intended to tarnish the company's public image.
What happened
Security researchers have identified a direct link between the infrastructure of Huge Networks, a Brazilian DDoS protection firm, and a botnet responsible for a sustained campaign of massive attacks against rival Brazilian ISPs. Evidence emerged from an exposed archive found in an open directory, which contained malicious Python scripts and private authentication keys belonging to the firm's leadership.
What's new in this update
The discovery includes the exposure of private SSH keys belonging to the CEO of Huge Networks. These keys, found alongside command-line history and attack scripts, show that a threat actor used Digital Ocean servers to coordinate scanning and execution of DDoS campaigns. The scripts specifically invoked multiple IP addresses assigned to Huge Networks to identify targets and execute the digital sieges.
Key details
The botnet utilized CVE-2023-1389, a vulnerability in TP-Link Archer AX21 routers, to enlist tens of thousands of devices. By employing DNS reflection and amplification, the attackers were able to turn small 100-byte queries into massive responses 60 to 70 times their original size. The operation also involved domains previously flagged as control servers for Mirai malware variants, such as hikylover[.]st and c.loyaltyservices[.]lol.
Background and context
Huge Networks was founded in 2014 and grew from a game-server protection service into a major provider for internet service providers in Brazil. For several years, security experts tracked localized DDoS attacks targeting Brazilian infrastructure without a clear attribution. While Huge Networks has no prior history of abuse complaints, the leaked archive suggests its resources were weaponized against the very industry it serves.
What to watch next
The CEO of Huge Networks has denied intentional involvement, attributing the incident to a sophisticated breach by a competitor. Further investigation is expected to determine the extent of the unauthorized access and whether other protected networks were compromised during the period the botnet was active.
Why it matters
This incident highlights a scenario where a firm hired for protection is implicated in the very attacks it is paid to mitigate, raising questions about supply chain trust.
Read next
Follow this story through the topic hub, more security coverage, and the latest updates.
Weekly briefing
Get the week's key developments in one concise email.
Get a fast catch-up on the biggest stories, the context behind them, and the links worth your time.
Cadence
Weekly, for a quick catch-up
Coverage
AI, business, world, security, sports
Format
Clear takeaways and useful context
Request the briefing
Leave your email to open a prepared request and get on the list for the weekly briefing.
Author
See who assembled this story and follow more of their work.
Sources and methodology