“Routers exposing UPnP can be configured remotely, without requiring local malware”
“Botnets”, says Ivan Blesa, the director of technology at Noble, a UK-based security firm, “are becoming a cloud service for criminals; easy to hire, at a reasonable cost”. They are also evolving fast: botnet attacks involve more than a “dumb” barrage of server requests from compromised baby monitors, fridges, or routers; the stereotypical DDoS attack that regularly cripples the business networks. Things are far beyond that.
As Blesa adds to Computer Business Review, “We are at the verge of a complete change of perception as to what damage is possible for botnets to inflict.”
Botnet Attacks: From DDoS to Hivenets, and Sextortion
Radware agrees. The DDoS mitigation specialist predicts a rise in IoT-based botnets upgraded with swarm-based technology to create more efficient attacks. With over one third of internet traffic being bots in 2018, businesses need to be paying attention.
“Swarmbots turn individual IoT devices from ‘slaves’ into self-sufficient bots, which can make autonomous decisions with minimal supervision,” the company wrote this week.
“Hivenets… are self-learning clusters of compromised devices that simultaneously identify and tackle different attack vectors. The devices in the hive can talk to each other and can use swarm intelligence to act together, recruit and train new members.”
I Got (Probably More Than) 21 Problems, and a Botnet Makes them Worse…
The Open Web Application Security Project (OWASP) recognises 21 specific automated threat events that bots can deploy, ranging from card cracking, to denial of inventory, via “scraping”, “scalping”, “skewing” and “sniping”; none of them good news.
Other botnet attacks are cruder, but still effective. One identified this month by security firm Cofense involved a typical “for rent” botnet firing out so-called sextortion emails to existing victims of data breaches: it was targeting over 200 million potential victims.
“This botnet is not infecting computers to acquire new data sets – it is a true ‘spray and pray’ attack reusing credentials culled from past data breaches to fuel legitimacy and panic through sextortion scams,” says Aaron Higbee, Cofense’s co-founder and CTO.
Botnet Attacks: Hi, Malware Delivery
Matt Aldridge senior solutions architect at Webroot tells Computer Business Review: “Botnets have been one of the most common methods of malware deployment over the past decade, due to scale of infection achieved.
“In fact, ransomware has been spread as a secondary payload through botnets, such as Trickbot and Emotet, as well as other types of malware. Slick automation has also been used by Trickbot and Emotet to keep botnets running and to spread using stolen credentials. Evolution of attack types emitting from botnets has been significant over recent years and we see no reason for this to change.”
Its a point reiterated by Pascal Geenens of Radware, who emphasises a rise in the remote reconfiguration of vulnerable routers through UPnP (Universal Plug and Play).
He tells Computer Business Review: “Certain router manufactures have UPnP as listener on WAN interfaces by default. UPnP allows dynamic forwarding rules to be configured remotely and without authentication into the router. By chaining vulnerable routers together, a central controller can create dynamic tunnels across the internet that passed through multiple hobs and can conceal any type of traffic.”
“Routers exposing UPnP can be configured remotely, without requiring a local malware running on the vulnerable device. All that is needed is a list of vulnerable devices (potential forwarding hops) and a central controller that creates the dynamic path for each connection and cleans it up after the connection is complete.”
Botnets: Possibly After Your Sneakers
Interestingly botnet attacks are increasingly used to commit commercial and retail fraud. These bots are designed to outpace humans when it comes to buying tickets online. Scott Treacy, a security expert at Barracuda Networks notes: “Retailers such as ticketing agents, clothing and shoes designers are being actively attacked by advanced bot networks to buy their limited releases, in ‘scalping’ attacks.
“They are using the speed of computers to buy all the resources before a human can react. This is particularly prevalent in the world of designer trainers where genuine customers actually have to purchase a ‘Sneaker Bot’ in order to stand a chance of being able to buy a pair of designer trainers for themselves.”
Good Bots Gone Bad
Paradoxically you can have situations where threat actors are operating botnets that are made up of legitimate bots, as in machines and devices that have not been hacked but are instead willing give processing power to a chosen task.
Andy Still CEO of Netacea tells us: “Some free VPN services used by residential users include the right for the VPN provider to make that connection available for use by automated traffic that wants to automate web requests from genuine residential addresses. These ‘residential proxy’ networks are essentially legitimate commercial botnets.”
“Botnets that can send traffic from residential addresses are valuable because there is no infrastructure cost associated with running them, they are not detected by standard IP address blacklists, they use real consumer devices so device-based fingerprinting will appear as a real user, and for ad fraud they can piggyback a real cookie-based persona and the user’s history, meaning that ads served to the user with that cookie are sold at a higher rate.”
Barracuda Networks’ Scott Treacy told us: “We have one customer in the UK [who] after activating Advanced Bot protection discovered that 60 percent of their multi-gigabyte web traffic came from a single bot net scraping their site!”
Tackling the Issue
David Warburton senior threat evangelist at F5 Labs told us: “Now is the time for businesses to go beyond simple IP based blocking.
“Proactive bot defence, as found in advanced web app firewalls, can now fingerprint and challenge the capabilities of bots to prevent bad traffic from reaching the app. However, just as organisations are looking to make use of machine learning techniques to combat the threat, attackers too, will look to use the power of AI to evade defences to carry out more sophisticated attacks.”
Blue teams and their CISOs will need to work hard to keep up.
Martin Rudd CTO at Telesoft Technologies notes that: “We’re also now seeing the first botnets that use encrypted DNS (Godlua using DNS over HTTPS) to bypass detection by older cyber defence platforms.”
“Attackers are adopting emerging technology as fast as organisations — sometimes even faster due to a completely different thought process and methodology enhancing the way the new technology is used. Looking to the future, we’ll see AI making attacks appear like normal human activity, matching human circadian rhythms and even mimicking device movements — all of which makes detection that much harder.”