Botnets have evolved since 2017. New active families and platforms have become dominant. Attack types used have also changed.
In 2018, NSFOCUS detected 111,472 attack instructions from botnet families that were received by a total of 451,187 attack targets, an increase of 66.4% from last year. On average, each attack instruction was received by four attack targets. However, the number of active botnet families issuing more than 100 attack instructions decreased from 12 to 9. Evidently, several full-fledged botnets have come to dominate the cyberthreat landscape, demonstrating that the botnet lifecycle includes a maturity phase.
Except for the BillGates family that erupted at the end of 2017, botnet families’ mayday, Gafgyt, and Mirai were the most active, contributing 21%, 9.5%, and 7.4% of attack instructions respectively.
IoT platforms, especially those based on Linux, became the platforms of choice for command & control (C&C) servers surging from 4.4% in 2017 to 31% in 2018, indicating that IoT platforms are becoming the frontline of botnet attacks and defense.
Geographically, the USA, having the most C&C servers (30.64%), is also the most targeted victim of botnet attacks (47.2%). China came in second for both number of C&C servers and targeted victims (29.79% of C&C servers and 39.78% of victims of attacks).
The most active botnet family types were related to ransomware, cryptomining, and DDoS. In addition, banking trojans, remote access trojans (RATs), and account hacking trojans are were seen in high profile campaigns.
There was a shift for DDoS botnet families to use multi-vector attacks and the becoming the dominant DDoS attack types. Botnets monitored by NSFOCUS have issued DDoS attack instructions to carry out nearly all kinds of attacks such as TCP flood, SYN flood, ACK flood, UDP flood, DNS flood, HTTP flood, and ICMP flood. Of these attack instructions, 39.8% and 35.5% are respectively issued for UDP and TCP flood attacks, also being the top DDoS attack types seen.
Botnets were not short on propagation and delivery. Among botnet intrusion logs analyzed in 2018, attack using weak password cracking accounted for 55.3%. Botnet families used 54 topical vulnerability exploits, 90.7% of which are against IoT devices.
To be continued