[BreachExchange] Get ready, a botnet attack is coming your way

Destry Winant destry at riskbasedsecurity.com
Mon Oct 15 09:03:21 EDT 2018


Just in time for the Halloween season, we have a story of stolen
property, stealthy takeovers, and mass destruction. The cause of this
mayhem? A menace, which combines the power of big data with the speed
of automation and downright creepiness of sophisticated, remote

Sound sinister? It should, because the menace is a botnet, and no
one’s IT ops are entirely safe from attack.

Botnets: IT marauders, bully-boys, and sneaks

IT security professionals are catching up with hackers and
cybercriminals, but the bad guys still have the advantage because:

- Users continue to secure legacy hardware poorly or not at all. Users
make it easy for hackers and cybercriminals to mess with their IT
infrastructures. For example, IoT devices and other hardware
appliances provide easy access to an IT system.

Some of these devices provide only simple security such as
out-of-the-box passwords. Many others are poorly configured without
thought of the multi-layered tactics that effective cyber-attack
defenses require.

- Attack tools are easy to find and use. It takes surprisingly little
time, money, and expertise to mount a cyber-attack.

Distributed denial of services (DDoS) attacks get the most media
attention. However, you can rent the required hacking skills or access
to malware to launch a wide variety of exploits. Just find a shady
malware-for-hire operation online (please don’t). It’s surprisingly
cheap and requires no IT experience.

- Cybercriminals are using botnets in increasingly sophisticated ways.
The security research community has recognized criminals’ ability to
take the botnet to new and more dangerous levels.

Hajime and Reaper, successors to the infamous Mirai botnet, use
automatic functions and a set of sophisticated cyber tools. Hajime,
for example, supports five different platforms, includes a toolkit
with automated tasks, and uses a dynamic password list that can be
updated remotely. Reaper’s capabilities include easily updatable code
and exploits that search for nine different known vulnerabilities
found in a wide variety of IoT devices.

So, as botnets become more powerful and versatile, it might be a good
time to review what enables them to do so much damage.

Botnets change the IT attack landscape

The basic concepts of botnets include power, control, and efficiency –
the ability to do lots of damage to many network endpoints in a short
period. It’s these capabilities and the increasing sophistication of
botnet-based attacks that are changing IT security practices.

A flexible and potent weapon

What comes to mind when you hear the term, “botnet?” If you’re like
most folks, you think of malicious hacking, lurid media headlines, and
tales of powerful DDoS attacks. Unfortunately, there’s more to botnets
than media coverage would suggest.

A botnet is a group of computers, Internet-connected smartphones, or
IoT devices, whose security has been breached and controlled by a
third party. The disturbing aspects of botnet attacks include the
takeover of resources (usually by remote control) and the
sophistication of what happens during the attack.

Modern botnets include these features and capabilities:

- Peer-to-peer operation. Although client-server attack methods exist,
modern botnets seek and infect targets directly rather than via a
- An executable file. Bots infect each target directly by downloading
malware onto the computer, smartphone, or IoT device.
- Automated, high-volume attacks. An abundance of network endpoints
and the ability to write and automate small but harmful scripts
multiply a bot attack’s damage. After infecting target devices,
botnets can find and modify personal information, attack other
computers, and commit other crimes. More complex, autonomous bots can
continue to carry out seek-and-infect missions.
- Remote control via a bot herder. A person directs attack functions
remotely, often with a sophisticated toolkit that includes changing
lists of passwords and downloadable malware.

The power and flexibility of these capabilities enable attackers to
deliver a wide variety of cyber-attacks.

Variations on the themes of theft and destruction

The ability of bots to monitor system traffic and monitor individual
keystrokes on infected sites enable botnets to retrieve usernames,
passwords, and other sensitive information. These and the capabilities
mentioned previously are useful in a wide variety of exploits, which

- DDoS attacks. In these exploits, an attacker engulfs a system with
data or service requests. The result: loss of network connectivity and
services. DDoS attack targets can include web servers,
internet-enabled devices, or internet services.
- Spamming and phishing. Think of thousands of bots, equipped with
versatile tools, automated functions, and remote control by an
unfriendly operator. Think of the damage that a massive bulk email
(spam) attack can do when bots harvest stored email addresses. Or, add
a bit of deception to the spam, and you get a phishing attack, a
common doorway into IT systems.
- Spreading malware. In most cases, attackers use botnets to create
new bots by downloading and executing infected files. This type of
attack is a very efficient way to spread an email virus, for example.
A botnet with 10,000 hosts, each of which acts as the starting point
for a fast-spreading email virus, can deliver a massive, fast-growing
malware attack.
- Mass identity theft. Attackers can combine bot capabilities to
commit large-scale identity theft exploits. The same bots that carry
out phishing expeditions can also host multiple fake websites and
harvest personal information. Keylogging and data sniffing can also
help to steal personal identity data or healthcare information.

Botnet power and versatility create more dangerous attacks

Botnets can deliver a wide variety of high-volume, malware-driven
assaults to servers and Internet-connected devices. The power and
scope of these attacks make it easier than ever for hackers and
cyber-criminals to harm internet systems and services.

Although security teams are learning to fight botnet attacks, success
requires a significant change of view: inside-out security.
Traditional security strategy concentrates on preventing breaches at
the outer edges of a network. Firewalls and security appliances alone
can’t protect networks from botnet attacks. That’s because these
attacks are more sophisticated, and internet-connected devices offer
many alternative entry points.

Now, IT organizations are finding that starting from the inside with
rapid detection and response is a must when a botnet attack occurs.

More information about the BreachExchange mailing list