Botnet Trend Report -4

Botnet Trend Report -4

agosto 3, 2020 | Adeline Zhang

In the reconnaissance phase, a bad actor can determine which targets to attack through batch scanning. Such scanning is often focused on user names and passwords for access to and vulnerabilities in devices. Besides, an attacker may try to compromise targets by delivering malicious baits to their email addresses collected previously.

Weak Passwords

In the past year, NSFOCUS Security Labs detected over 470,000 brute-force attacks on the MSSQL database, over 90% of which tried user names of “sa”.

Besides, the number of brute-force attacks against SSH exceeded 10 million. A further look into such data found that “root” and “admin” were respectively the most frequently used user name and password. Among all successful attacks on SSH, 62% were attributable to this combination and 30% to the combination of the user name “root” and an empty password.


Exploits have always been important tools for botnets to expand themselves. Thanks to botnets’ characteristics, botnet controllers can leverage bots to complete low-risk, high-efficiency network-wide scanning.

  • Windows

In 2019, exploits of vulnerabilities in Windows, especially EternalBlue that exploits the MS17-010 vulnerability, were still rampant.

Throughout the year, NSFOCUS Security Labs registered over 10 million attempts to scan for the EternalBlue vulnerability and over 4.62 million attacks actually exploiting this vulnerability.

As for new vulnerabilities, BlueKeep (CVE-2019-0708), a vulnerability in Microsoft’s Remote Desktop Protocol (RDP) implementation, since its disclosure, has been a magnet for bad actors.

Since July, many security vendors have detected botnet families contain BlueKeep scanner modules in various languages. As a result, vulnerability exploitation is looming large in the cyberspace, posing a serious threat to the Windows platform.

In terms of spear phishing, vulnerabilities in Office suites still dominated various types of attack payloads. According to statistics about CVE vulnerabilities in Office, CVE-2017-11882 was still most favored by hackers.

Sometimes, attackers exploited a combination of Office vulnerabilities to launch attacks. Among them, CVE-2017-11882 occurred most frequently.

Of all these combinations, CVE-2017-11882 and CVE-2018-0802 are a marriage made in heaven. The two, once joining hands, can counter various patches with a high rate of success.

  • IoT

As in previous years, IoT botnet families in 2019 mainly exploited SOAP vulnerabilities, represented by CVE-2017-17215 (Huawei HG532) and CVE-2014-8361 (Realtek rtl81xx SDK), to attack smart IoT devices.

In addition, the number of IoT vulnerability types exploited for attacks reached 100 and CVE vulnerabilities exploited spanned a protracted period of 13 years.

  • Other Exploits

Besides the preceding platforms, some cross-platform components also have vulnerabilities that are attractive to cybercriminals.

Confluence is a cross-platform, enterprise-grade management software program. In March 2019, a remote execution vulnerability, CVE-2019-3396, was disclosed in this software. In response, perpetrators acted promptly to exploit this vulnerability to hack into Windows and Linux servers by using ransomware families GandCrab and Sodinokibi, the DDoS malware MrBlack, and the cryptojacker Kerberods.

Adobe Flash Player is a multimedia player used by mainstream browsers. In 2019, Windows-based ransomware families, including GandCrab, Paradise, Sodinokibi, and Maze, exploited CVE-2018-4878, a vulnerability in this application, to compromise targets. Specifically, an attacker injected malicious code into some porn websites, and users, when browsing these websites, would be attacked[3]. Besides injecting malicious code into web pages, a hacker may embed Flash into Office documents, with the intent of attacking whoever opens such documents.

To be continued.