Executive Summary
With the rapid advancement of computer technologies and more and more network devices joining the Internet, the global Internet has expanded at an unbelievably high speed. However, efforts made in enhancing cybersecurity are lagging far behind the growth of the Internet, leaving an ever-growing gap in between. Many cybercrime groups and individuals are trying to take hold of insufficiently secured network resources and turn them into botnet clusters for the purpose of garnering illegal profits.
Botnets are an important carrier of current Internet threats. Activities, including distributed denial-ofservice (DDoS) attacks, adware bundling, cryptojacking, and data theft, continue to be carried out by leveraging botnets. Some ransomware families propagate themselves via botnets, and even advanced persistent threat (APT) attacks have begun to use botnets to blaze the trail. In the past few years, a new trend of botnet as a service (BaaS) has taken shape, which, on the one hand, reduces cybercriminals’
costs of perpetrating continuous attacks, and, on the other hand, makes it easier for them to control botnets. Along with this trend comes more botnets of increasing sizes, posing a severe threat to the Internet ecosystem. In this context, more efforts should be made to resist and defeat botnets. Resisting botnets requires targeted defensive measures, and defeating botnets requires accurate organization profiles. To do these jobs, defenders must perform an ongoing study and track of botnets by capturing malware samples, analyzing their techniques, interpreting their development trends, and keeping a close eye on their activities to obtain related threat intelligence and effectively defend against botnets.
NSFOCUS Security Labs has spent years continuously studying and tracking botnets and has made headway also in research on APTs and track of APT groups. According to their observation, the threat situation posed by botnets in 2019 continued from previous years, but took on some changes, which are summarized as follows:
Compromise and propagation:
- Brute-forcing and exploits of various remote execution vulnerabilities were still important methods used to compromise networks, affecting a wide range of platforms and assets. At the same time, spear phishing remained active. These clearly indicate that attacks were conducted in phases and by different roles, making it extremely difficult to track sources. Moreover, perpetrators of this type of attacks, by taking advantage of people’s trust and curiosity, can easily fool targets into opening the phishing emails that look intriguing and are seemingly sent from trusted sources. As a result, such attacks boast a high rate of success. To address these threats, IT managers and operators should keep their systems up to date and provide security awareness training to employees to protect the organization from related attacks and minimize the losses caused by these attacks.
Persistent threats:
- Brute-forcing, as a function, has gradually been split from botnets and begun to be carried out by malware families specially developed to achieve this purpose. The new family GoBrut launched extensive cracking campaigns against website management frameworks like WordPress, databases, and remote management protocols. The fast iteration of versions tells a story of botnets powered by Go-speaking malware gaining momentum for fast growth.
- Adware, to win over users for wider usage, continued to use silent installers and work in the form of pop-ups. To complicate things even further, malware is sometimes bundled with adware for propagation. Evidently, more work should be done to figure out the chain of interest and security risks regarding this type of attacks.
- As for DDoS threats, the US was still the biggest target, receiving most attacks from Gafgyt and Mirai. Among these attacks, UDP floods contributed an even larger proportion in the past year. As more and more enterprises and individuals are migrating services to clouds or virtual private servers (VPSs), more attack traffic is now directed to the clouds or VPSs.
- New ransomware families keep emerging. With the disappearance of old families, new ones with a higher level of industrialization are surfacing. GandCrab and Sonikibi were the most active ransomware families in 2019.
- Banking Trojans wreaked havoc in a reckless and unbridled manner. Destructive families were tired of being lone wolves and tended to join hands to squeeze more money out of users.
- Mobile platforms are becoming an important attack surface of botnet threats, considering that they carry as many malware types as PCs: adware, banking Trojans, ransomware, to name but a few. This poses a severe threat to Android phones and tablets, which often contain sensitive personal information. Such devices as Android TV boxes are more vulnerable to cryptojackers because of loose controls from users.
- Botnets remain an important means for APT groups to maintain their persistent threats. In 2019, a trend of botnet groups assisting APT groups in attacks took shape.
The preceding observations and findings reveal that botnets exerted a more extensive impact in 2019 than previous years, whether in terms of compromise or persistent activities. Service providers, managers, and users should, based on real-time threat intelligence, make concerted efforts to address botnets, preventing them from devastating critical services and facilities.
To be continued.