Analysis of 2020 H1 Botnet and Honeypot-captured Threat Trends-1

Analysis of 2020 H1 Botnet and Honeypot-captured Threat Trends-1

October 16, 2020 | Mina Hao

Overview

In the distributed denial-of-service (DDoS) botnet activities in 2020 H1, most were from Mirai, Gafgyt, and other major families.

In 2020 H1, DDoS attack means were dominated by UDP floods, CC, and TCP floods.

In 2020 H1, Hostwinds, Digital Ocean, and OVH were the major hosted cloud service providers of C&C servers. We predict that it will remain unchanged in 2020 H2.

In the same period, 128 types of vulnerabilities were detected to be spread and exploited by the Internet of Things (IoT) trojans. Of all these vulnerabilities, CVE-2017-17215 (in Huawei HG532 routers), CVE-2014-8361 (Realtek rtl81xx SDK remote code execution vulnerability), and ThinkPHP remote code execution vulnerability were the most frequently exploited.

Through NSFOCUS’s threat hunting system, we have kept an eye on a botnet specializing in Monero cryptomining for a long time. The botnet intrudes upon hosts by cracking weak passwords and gains control privileges by implanting bot programs. Meanwhile, it downloads and executes Monero cryptomining scripts via the downloader for malicious cryptomining. The cryptomining botnet became increasingly active in 2020 H1, involving a total of 20,830 active bots. China was the country with the most bots, which were as many as 8304, accounting for 40% of the total. Port 22 was opened on 13,664 bots, approximately 66% of all bots. According to known asset intelligence, routers and cameras were dominant device types reduced to bots.

Botnet Trends

Botnet Attacks in 2020 H1

In the DDoS botnet activities in 2020 H1, major attacks were connected to Mirai, Gafgyt, and other families.

In 2020 H1, DDoS attack means were dominated by UDP floods, CC, and TCP floods.

In 2020 H1, Hostwinds, Digital Ocean, and OVH were the major hosted cloud service providers of C&C servers. We predict that it will remain unchanged in 2020 H2. In the same period, 128 types of vulnerabilities were detected to be spread and exploited by IoT trojans. Of all these vulnerabilities, CVE-2017-17215 (in Huawei HG532 routers), CVE-2014-8361 (Realtek rtl81xx SDK remote code execution vulnerability), and ThinkPHP remote code execution vulnerability were the most frequently exploited.

  • Attack Count and Family Distribution

In 2020 H1, we detected a total of 131,687 attacks, which were launched by 10 families, as shown in Figure 2-1.

Table 2-1 Botnet attack count and family distribution

Monthly attack trends in 2020 H1 are as follows.

Figure 2-1 Attack trends

  • Attack Events and Family Variants

The percentages of family variants in various attacks are as follows:

Table 2-2 Number and percentage of attacks initiated by each family/variant

Obviously, gafgyt_builds overshadowed other variants in the Gafgyt family, and S1P0R3.WV was the most active in the Nitol family. Since gafgyt_builds was abnormally inactive in May and June, Gafgyt was far behind Mirai in terms of attack count in 2020 H1. Mirai contributed almost a half of the DDoS attacks.

  • Attack C&C Distribution

Table 2-3 Geographical distribution

Figure 2-2 Distribution of C&C cloud services and operators

C&C was mainly hosted in cloud services, with Hostwinds most favored, closely followed by Digital Ocean and OVH.

  • Daily Distribution of the Activity Level of Attack Instructions

Mirai (in dark blue) was almost always active in 2020 H1 and reached peaks in early January, early April, and mid-June, becoming a family with the most stable active state. Sdbot (in red) reached ultra-high peaks between late January and early February, far exceeding other families.

However, it was inactive in other periods. Activities of Gafgyt were mainly carried out by the variant gafgyt_builds (in yellow). gafgyt_builds was stably active from January to March and gradually became sluggish in the next three months. YoYo (in dark green) was on the contrary. It was stably active from March to June. Dofloo (in lavender) and Tianfa DDoS (in gray) were occasionally active in some periods.

  • Distribution of Flood Types Used in Attacks

Table 2-4 Distribution of flood types used in attacks

  • Distribution of Linux/IoT Vulnerabilities Exploited in Attacks

Table 2-5 Distribution of Linux/IoT vulnerabilities exploited in attacks

TO be continued.