Nearly eight years in the making, a hacker has silently hacked NVRs (network video recorders) and NAS (network-attached storage) turning them into a botnet that had the sole purpose of connecting to online websites and download anime videos.
Named Cereals and first spotted in 2012, the botnet reached its peak in 2015 when it amassed more than 10,000 bots.
The botnet operated without detection from most cyber-security firms even with it's huge size. Currently, Cereals is slowly disappearing, as the vulnerable D-Link devices on which it controlled all these years have started to age and facing shut down and are being discharged by their actual owners. The botnet's decline was also accelerated when the ransomware strain, Cr1ptT0r killed Cereals malware from many systems in 2019.
Now that both the botnet and the vulnerable devices behind it are becoming endangered, cyber-security firm Forcepoint published a report on the botnet's operations.
According to Forcepoint, the Cereals botnet was unique for how it was operated because it exploited just one vulnerability during all of it's lifespan.
The vulnerability resided in the SMS notification feature of the D-Link firmware that powered the company's line of NAS and NVR devices.
The bug allowed Cereal to send malformed HTTP request to a vulnerable device built-in server and execute commands with root privileges. Big Yikes. Root privileges is basically boss commands that can write and read and delete whatever that is needed.
Forcepoint says the hacker scanned the internet for D-Link systems vulnerable to this key bug, once found the hacker exploited the security flaw to install Cereals malware on the NAS and NVR devices.
Cereal botnet was quite advanced. Cereals maintained about four backdoor mechanisms to access infected devices, it even went as far as attempting to patch systems to prevent other attackers from hijacking the hacked devices, and it managed infected bots across twelve smaller subnets.
Being such an Advanced setup. Forcepoint says that the botnet was most likely a hobby project. That is quite the hobby. All that for a drop of anime.
The botnet exploited just one single vulnerability. Without ever a thought of expanding its operation to other systems.
Cereal never wondered away from stealing Anime videos. Forcepoint said the botnet did not commit DDoS attacks, or find evidence that the botnet tried to access user data stored on the hacked devices.
It's amazing that a botnet of such a size operated for almost 8 years. With the only objective is to capture anime videos. What an amazing passion project.