Cybercriminals are abusing IoT devices to use them for massive attacks on IT companies, states and organizations. Often such botnets are used to execute high volume DDoS attacks. A common motive of cybercriminals, besides extortion, is also intended to damage competition.
At least with the Mirai malware two years ago, botnets reached questionable prominence and are no longer just a term for IT professionals.
Initially, IT professionals used botnets as legal tools to automate routine tasks. In 1993, for example, “eggdrop”, one of the first documented botnets, was used to protect IRC channels, text-based chat systems, against takeover attempts. It was not long before hackers discovered this method and misused it. And today’s botnet malware includes several attacking techniques that can be executed simultaneously across multiple vectors. However, similarities arise in the mode of operation: cyber attackers compromise computers, mobile devices, and IoT devices, thereby taking over their control. The owners are usually unaware of the takeover, so attackers are often able to.
Association of IP-based devices
The already mentioned Mirai botnet was estimated to reach up to 500,000 networked terminals, most notably secure IP security cameras. In the case of the telecom failure in November 2016, however, attempts were made to misuse routers to create a botnet, which affected more than one million customers.
IoT devices are being misappropriated
Despite increased threat awareness from manufacturers, IoT devices are far too often delivered with standard credentials, simple passwords, or known security vulnerabilities. Thus, these devices are ideal for being connected by criminals in botnets. In particular, the increasing number and broader application of IoT devices are encouraging cluster growth. Analyst house IDC expects more than 75 billion devices connected to IoT by 2025. Even computers, such as computers of private individuals, may be affected: The Internet Association eco found that of 175,000 computers checked, nearly 40 percent were infected with bots. The hackers thus offer a consistently growing market full of open entry gates,
When botnets are used for DDoS attacks, they tend to paralyze Internet services, IT components or the IT infrastructure of an attacked company or organization. For this purpose, components of the network, such as servers, are overloaded with traffic in the form of requests until they are no longer available. While a single spoofed IoT device may generate little traffic, a large cluster of them can even reach levels in the three-digit GbpS range (gigabits per second).
The “bot economy” is quite attractive for criminals
This form of cybercrime is a worthwhile source of revenue for hackers. Because they rely on third-party IP-based devices, they incur no additional infrastructure costs to launch attacks. For them, the anonymity of the darknet and the non-transparent trading in cryptocurrencies have many advantages: For example, existing botnets can be easily leased to third parties who are then able to carry out an attack against payment. For example, $ 7,500 was granted access to the Mirai botnet. A short-term attack on a comparatively small botnet can be acquired today for less than 5 US dollars in Darknet.
And for cybercriminals, botnets are an attractive platform from an economic point of view. Because in addition to the execution of DDoS attacks, botnets are also suitable for other criminal scenarios. So the users can:
- Send spam or malware quickly and barely traceable by e-mail
- Perform click fraud
- Host large-scale phishing attacks for the spread of malware
- Tapping software license data
- steal personal information and identities
- Credit card and other account information, including PIN numbers or passwords spy
- Install keylogger
- Provide open proxies for anonymous Internet access
- Brute force attacks on other targets on the Internet
Simplified access to botnets
Another factor that has favored the proliferation of botnets is the fact that the individual components are relatively easy to compile, exchange and update. There was a real leap in the scene after the release of the LizardStresser source code in early 2015. This source code was freely accessible, easy to use, and contained some complex DDoS attack methods. For example, it was able to keep TCP connections open, send a random set of junk characters to a TCP or UDP port, or repeatedly send TCP packets with specific flags. The malware also included a mechanism to execute arbitrary shell commands, such as downloading updated versions of the LizardStresser with new command-and-control devices or brand new malware. In general, access to botnets and their infrastructure has been further simplified, so that even people with little technical skills could misuse them for their own purposes. This was also helped by hackers recognizing the lucrative market and becoming more and more professional.
It is becoming more and more likely to become a victim yourself
This professionalization, coupled with the growing number of vulnerable IoT devices and simplified access for third parties, make botnets a risk factor for any business. According to experts, this trend will not find any demolition in the foreseeable future. Companies must, therefore, be aware of the dangerous situation and prepare accordingly. Since botnets are mainly used for DDoS attacks, a suitable DDoS defense solution is indispensable. This solution should, according to the consensus opinion of security experts, contain multi-level defenses – and consist of a locally installed component and a cloud-based element. The on-site component enables immediate detection and combat of attacks, such as application level, before it impacts the services of a business. However, it is unable to fend off the particularly high-volume attacks, such as botnets, which can lead to the fact that the Internet connectivity is no longer guaranteed. This is where the cloud-based component comes into play. If the size of a locally detected attack exceeds a defined threshold, cloud-based countermeasures can be automatically activated to protect the business.