What can I say? 2019 has been an eventful year for botnet operators. We have seen everything from large scale take-downs that target those that host malicious services to new and improved attack vectors. While the attack landscape continues to grow at a rapid rate for botherders, we really need to sit down and start considering the risk associated with the cloud and IoT devices in 2020.
In general, a botnet is a network of compromised devices that have become infected with malware, allowing an attacker to control the devices. BotHerders control these infected devices through covert channels, issuing commands to the devices to perform malicious activities such as launching distributed denial of service (DDoS) attacks, sending malicious spam or information theft.
When it comes to botnet’s that launch denial of service attacks, Mirai and its variants still dominate the landscape. Mirai was discovered in 2016 by MalwareMustDie and originally targeted SSH and Telnet protocols by exploiting defaults or hardcoded credentials. Mirai, its variants and other botnets have evolved over the last three years and now leverages multiple exploits that target both residential and enterprise devices.
Botnets that send Malspam are still one of the most popular and effective methods for delivering phishing emails in bulk that contain or link to infected documents. These campaigns are designed to commit fraud via information theft and typically leverage modular trojans like Emotet and Trickbot. If the user opens the document, their computer will become infected. After infection, the malware will quickly begin harvesting and extracting data from the victim’s device for fraudulent purposes. Some trojans even have modules that allow the botnet to grow by spreading and infecting other devices.
Botherders looking to carry out denial of service attacks continue to leverage residential and enterprise devices to build massive botnets, but at the same times they are also searching for new attack vectors to employ within their botnets so they can effectively carry out crippling network attacks.
One of the more notable attack vectors from this year was the announcement regarding the Web Services Dynamic Discovery (WSD) protocol and how it can be abused to launch amplified DDoS attacks. Another newly discovered vector of attack this year included the abuse of macOS’s Apple Remote Management Service (ARMS).
This year we also saw botherders chaining trojans together to maximize their efforts in Malspam campaigns. Criminals are aware that their malspam campaigns are very loud and noticeable. They are also aware there is a booming industry related to pay-per-infection or Malware-Delivery-as-a-Service. As a result, criminals are looking to monetize anything they can while inside the infected device.
This year Cybereason detailed such an attack titled Triple Threat. In this attack, criminals who were targeting large enterprises used the Emotet trojan to deliver the TrickBot trojan. Once infected, TrickBot would begin harvesting sensitive information so the criminals could decide if the company was in the target vertical. If it was included in their targeted networks, then TrickBot would deliver Ryuk Ransomware. This trend of chaining together trojans first surfaced last year when Emotet infections began grabbing Trickbot, Zeus Panda, IcedID and AZOrult after compromising a device.
Over the last two years, there have been several takedowns related to botnets and criminal activity. For example, in April 2018, the US, UK and Netherlands authorities took down Webstresser.org. WebStresser was one of the most active DDoS-for-Hire sites on the market with over a hundred thousand users! Not only did the authorities seize the domain, but in 2019 the they began going after the users of Webstresser.org as part of Operation Power OFF.
One take-down that I did not touch on this year was the raid that Zack Whittaker of TechCrunch covered at the end of December 2018, when the FBI with assistance from the NCA, Dutch Nation Police and several companies were able to seize 15 stresser services. These services included some of the more notable attack platforms like Defcon.pro, Str3ssed.me, Bullstresser.net and downthem.org. Amid the major crackdown, an operator of eight DDoS-for-Hire platforms also pleaded guilty for his role in launching over 3 million DDoS attacks.
Over the past year, the tactics and procedures used by authorities to take down criminals has shifted. While targeting the individual bothereder’s or operator running a stresser service serves its purpose, law enforcement is now focusing on targeting the source and those that profit from host these malicious activates. In a recent ZDNet article, Catalin Cimpanu covered the details of a raid against bulletproof hosting provider KV Solutions, a known malicious /24 that hosted several IoT botnets used to launch denial of service attacks.
In another recent large-scale raid, and a clear shift in targeting those that host malicious services, German cops raided cyberbunker 2.0, another bulletproof hosting provider that hosted everything from child pornography to notorious darknet markets like Cannabis Road, Wall Street Market and OrangeChemicals.
Notable Events Related to Botnets in 2019
Other notable events from the past year include:
- The Ecuadorian government claims it suffered 40 million cyber-attacks a day as a result of its action to evict Julian Assange.
- Finland suffered a Distributed Denial of Service attack targeting Parliamentary Election results services used by the government to communicate the outcome of the elections with the general population.
- The Muhstik Botnet exploited CVE-2019-2725, an Oracle WebLogic server.
- AESDDoS Botnet exploited the Atlassian Confluence Server via CVE-2019-3396. The botnet was also seen exploiting an API misconfiguration found in Docker Engine-Community.
- A hacker was able to brute-force the back end and hijack 29 IoT botnets.
- The Telegram suffered from a large-scale DDoS attack that they claim originated from China and related to the protests in Hong Kong.
- South African ISP Cool Ideas struggled to stay online last month amid an advanced persistent DDoS attack where criminals targeted random IP address on the network and used multiple amplification vectors.
- Gaming companies began to take legal action this year against DDoS’ers. Blizzard announced that the attacker they believe that was behind the recent World of Warcraft Classic DDoS had been arrested while Ubisoft begins to ban players suspected of attacking Rainbow Six Siege with DDoS attacks.
Moving Into 2020
The escalation in the threat landscape continues to evolve into 2020. The public cloud is fully in scope for cybercriminals looking to compromise enterprise equipment. While cloud adoption is touted as a faster and easier solution for corporations, it’s clear that security is currently lacking and overlooked for performance and overall cost savings. As a result, more destructive Botnets and attack vectors are on their way in 2020 as criminals not only focus on resource-constrained IoT devices, but also look to target and infect powerful cloud-based servers.
If the growth of the attack landscape continues at this rate, we as security practitioners need to begin asking serious questions. Questions like, should we ban or limit the use of IoT devices, especially in the enterprise, until the risk has been mitigated?