How botnets are evolving: from IoT botnets to Hivenets
A botnet is a collection of infected internet-connected devices dubbed bots that are controlled by a threat actor and used to carry out a broad range of malicious activities.
Attackers recruit systems for their botnets by infecting them with malware. The initial attack chain includes exploiting vulnerabilities in the target systems or gaining access to systems protected by weak passwords.
Botnet operators implement command and control mechanisms to enable the bots to execute commands they receive and carry out malicious activities, such as:
- Conducting Distributed Denial of Service (DDoS) attacks that saturate the resources of the target system/service
- Sending out spam messages
- Generating Internet traffic on a third-party website for financial gain
- Conducting credential stuffing attacks by validating lists of leaked credentials used to take over online accounts
- Performing web application attacks
- Providing the attacker access to an infected device
- Mining cryptocurrency
- Exfiltrating data from infected devices
Over the past few years, botnet architecture and capabilities have been rapidly changing as more ill-protected IoT devices are entering the consumer market and are subsequently compromised by threat actors. Let’s take a look at how the botnet landscape has evolved over this period.
Centralized vs. decentralized botnets
A botnet can use two different topologies to implement interconnections: centralized, and decentralized (aka peer-to-peer (P2P)).
In the “centralized” model, each bot periodically reports to a central command and control server. The central server is a single point of failure, this means that if it is shut down the bots are useless.
In the decentralized model, also known as peer-to-peer, each bot acts as a Command and Control server. Information and control commands are propagated in the network from bot to bot. The takedown of the whole botnet is very difficult because botmasters control them by sending commands to one of the bots.
A rapid evolution
One of the main factors that influenced botnet evolution is the proliferation of Internet-of-Things (IoT) devices: 7.7 new million IoT devices are connected to the Internet every day, and only 1 in every 20 is estimated to be protected by a security solution.
Since the first discovery of the infamous Mirai IoT botnet in August 2016, multiple IoT botnets based on its code were employed in attacks in the wild.
During the first half of 2019, botnet activity and hosting C2 servers increased substantially, 7% of all botnet detections, and 1.8% of C2s around the world. Most targeted services were financial services.
During 2019, the number of Mirai variants detected by security firms and law enforcement agencies increased by more than 57% when compared with 2018.
Security researchers also observed an important increase in P2P botnet activity since Roboto and Mozi botnets became active, while Linux based botnets are behind most of the attacks (97.4%).
“The highest share of botnets were registered in the United States (58.33%) in Q4 2019. While this is an increase compared with Q3 2019 (47.55%), the total number of C2 servers almost halved.” Reads the Enisa Threat Landscape 2020 report.
“The United Kingdom was is in fourth place and jumped to second place with 14.29%, while China maintained the same position at 9.52%. The most significant decrease in C2 registered servers was in the Netherlands (from 45% to ~1%).”
Some of the newest elements already contributing to the evolution of botnets are predictive software systems and artificial intelligence.
Attackers have already implemented automation and intelligent decision trees to exploit known vulnerabilities to recruit new bots.
Experts believe that botnets will evolve into hivenets, which are P2P structures that leverage the self-learning process to target vulnerable systems in an automated manner without supervision. Hivenets are intelligent clusters of infected systems built around swarm technology. Unlike traditional botnets, they are able to make decisions independently without waiting for commands.
How will IoT botnets evolve in the coming years?
One of the most interesting documents that provide insights into botnet evolution was published by the DHS and is titled “Botnet Road Map Status Update.”
Below are some of the predictions shared by the DHS’s study:
- Botnets will recruit new types of connected devices, especially consumer IoT products, such as mobile/wearable devices and other classes of IoT belonging to the industrial device category.
- Botnets will be smaller and more sophisticated to avoid detection and to be more resilient to takedown operations from security firms and law enforcement agencies.
- An increasing number of nation-state actors will employ botnets in their operations. These botnets will benefit from the advanced capabilities and means (i.e. zero-day exploits) that characterize this specific type of attack.
- To remain under the radar, botmasters will focus their operations targeting certain types or models of devices that have greater penetration in specific regions.
Are there ways to protect against botnet attacks?
The fight against botnets is difficult and requires the involvement of law enforcement agencies and security firms.
Recently, Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joined the forces in a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.
The experts that participated in the takedown have supported the investigation into TrickBot’s back-end infrastructure for several months. The experts worked together for months, showing that the most efficient weapons against botnets are information sharing and collaboration among multiple stakeholders, including security firms, Internet service providers (ISPs), computer emergency readiness teams (CERTs), and law enforcement bodies.
As part of this operation, the security firms have collected more than 125,000 TrickBot malware samples and mapped the command and control infrastructure. The TrickBot botnet was considered by security experts one of the biggest botnets.
According to the approach proposed by the ENISA to rapidly identify these threats, one of the most important aspects of a solid defense is the knowledge of the environment.
By implementing behavioral detection, it is possible to monitor traffic while searching for malicious patterns associated with botnet activities. ENISA experts urge the deployment and the configuration of network and application firewalls. They also suggest deploying challenge-based capabilities for websites to check the origin of traffic (i.e. reCAPTCHA).
Another layer of defense consists of deploying border gateway protocol feeds that could allow the inspection for decentralized top-level domains to block connections to IP addresses associated with botnet command and control activity.
To prevent the compromise of targeted systems, it is essential to implement an efficient patching process and keep both firmware and applications up to date.
ENISA also recommends restricting or blocking cryptocurrency mining pools, as well as monitoring the environment for the required users. The experts also suggest implementing multi-factor authentication to protect public-facing servers or infrastructure in order to neutralize credential stuffing attacks.