By Mark Patrick, Mouser Electronics
Once a hacker has accessed a computer system or an individual computer, there are many options available to them. They can lock the data and demand a ransom, simply spy on the user’s activities – or a range of other things. The hacker can also prepare the computer for use as a “bot”to which they can gain access at a later date. Once several computers have been compromised in this way, they can be connected to create a “botnet,” which can be put to further malicious use. Botnets can automate the task of their own expansion by compromising further systems and adding them. Another use for botnets is to perform distributed denial of service (DDoS) attacks, overwhelming systems with more requests than they can cope with.
In fact, over 30% of all IT downtime is as a result of DDoS attacks, confirming this as one of the most used cyberweapons today. The cost to businesses runs into billions of dollars as transactions fail and data disappears. There is also the cost of fixing the system after the attack and improving security, as well as the loss of brand reputation, which is very real. Anyone who uses a service provider is potentially exposed to these types of attack, including the large-scale attacks that can impact governments and large commercial organizations.
Botnets are very difficult to detect and stop. As the malicious DDoS traffic comes from various distributed bots, it merges easily with genuine traffic, making it hard to detect and respond to. Detection is harder still when the key command and control servers are kept behind a network of proxies to hide their activity. Some providers do not honor take-down requests, and botnets hosted by these organizations will survive even in the unlikely event of them being detected.
Botnets: Some background
Botnets are not new; as long ago as 2001, they were first used for simple malicious tasks such as distributing spam. Things have evolved since those early days, and a massive 60Gbps attack using several simultaneous methods was directed against Citigroup, JPMorgan Chase and Bank of America, as well as three other banks in 2012. That attack seemed slow compared to the 500Gbps attack on the website of PopVote (supporting Hong Kong’s pro-democracy grassroots) by five botnets in 2014. Other (in)famous attacks include hotel chain Marriott and website builder WordPress, although the biggest attack occurred in 2016 and was known as Mirai. This attacked the Internet of Things (IoT) and affected connected devices.
Paras Jha, a student and Minecraft enthusiast, co-created Miraito make more money from hosting Minecraft games by eliminating other hosts via DDoS attacks. Using a simple technique to attack insecure IoT devices, it probed the web for open Telnet ports using factory-default username/password combinations. As many people never change the access credentials of their devices, Mirai had soon recruited a significant number of CCTV cameras and routers.
The first victim of Mirai was French telecom host OVH. Its hosting of the Minecraft game platform was brought down with a 1.5Tbps DDoS attack. Following this Jha and his accomplices directed 1.5 million connected CCTV cameras to take down a cybersecurity blog site.
The source code of Mirai was published online, possibly to divert attention from the original source. This also enabled anyone with the knowledge to build a botnet, and soon after there was another attack, but this time not by Jha. When Dyn was attacked at 1.2Tbps many major websites were affected, including Netflix, Twitter, Airbnb, Spotify and others.
Jha and his accomplices were eventually caught, arrested and sentenced. However, that did not stop the effects of Mirai; thousands of UK-based servers were subsequently attacked, as were German telecoms companies. Mirai was not complex code, but it was easily adapted and could be re-coded to attack new IoT devices as their default credentials became known. It also spawned other botnets, including Satori and Reaper.
Learning Lessons from Mirai
After the Mirai attacks, Morey Haber from vulnerability expert Beyond Trust advocated for stronger laws to require IoT devices to be better protected during manufacture, recognizing that this would entail enhanced international cooperation. Others, including Chester Wisniewski from cybersecurity expert Sophos, were not convinced, seeing the proposals as insufficient. However, there was agreement that minimum safety standards should be defined, and implementation of certain best practices (regular system patching, rotation of passwords, privilege curtailing) would increase security – and rebuild trust that had been dented as a result of the high-profile attacks.
Dyn made a recommendation that major companies should spread the risk by using multiple Internet infrastructure providers, which would reduce any impact of a future DDoS attack. Furthermore, encrypting internal data including customer records could mean that even if data were stolen, it would remain protected.
Looking to the Future
With billions of devices deployed (Gartner claims 8.4 billion in 2017, rising to 20.8 billion by 2020), the IoT gives cybercriminals more potential attack surfaces than ever before. As people become more security aware, they are securing their phones, tablets and desktop machines more than before, but low-power devices that connect to the web, including routers, thermostats and security cameras, are often neglected.
Given the large number of sophisticated DDoS threats circulating, the vulnerability of IoT devices is exacerbated by the older-style defense mechanisms they continue to rely on.
This is supported by the fact that, in 2018, oneinsix infected devices was an IoT bot, an increase of 3.5% on the previous year, according to the Nokia Threat Intelligence Report 2019. If further evidence were needed, almost 80% of malware is associated with IoT botnets. The forthcoming 5G rollout will only exacerbate the situation, as more devices including vehicles, home health monitors and drones become “connected.” As more devices of a single type are deployed – such as a particular type of health monitor – the criminal’s lives become easier as, once they have gained access to one device, they may well be able to gain access to all devices of that type. This has already happened in Japan, where 50,000 security cameras were used in a DDoS attack.
How Can Governments Address the Situation?
The US Department of Homeland Security recently stated: “DDoS attacks have grown in size to more than 1Tbps, far outstripping expected size and excess capacity. As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved.” Network providers have tried to mitigate DDoS attacks by creating excess network capacity; however, these approaches “were not designed to remedy other classes of malicious activities facilitated by botnets, such as ransomware or computational propaganda.”
In more direct approaches to stem the botnet threat the Defense Advanced Research Projects Agency (DARPA) is looking at ways that botnets can be identified as well as researching tools that can hack the identified botnets. Other governments are also picking up the challenge, focusing on how botnets can be neutralized once they have hacked a network.
What Should Businesses be Doing?
The lead author of Nokia’s Threat Intelligence Report 2019 says that the first step is to ensure that all devices are managed in a secure fashion, recognizing that this will require a combination of firmware, software and patches. He goes on to advocate that any company involved in the IoT to any extent must use a “managed mechanism” so that any security flaws can be addressed appropriately.
It is also recommended that carriers take a role in the fight by monitoring network traffic for anything suspicious, so that any IoT nodes that have been compromised can be quickly identified. These devices must be isolated with a swift and automated response from the carrier.
Also, secure communication that involves authentication, integrity and confidentiality is seen as a key requirement to protect IoT devices in the future.
What Steps Should Individuals Take?
There are several simple things that individuals can do to safeguard themselves. A good first step is to look at all IoT devices deployed in the home and remove any that are superfluous, so that the number of potential entry points is reduced. For those that are necessary, passwords must be changed from the default that the device shipped with, and firmware must be regularly updated to benefit from protection against the latest threats.
In general, it is good practice to deploy devices that are established. This means devices from a well-respected brand that have been developed through several generations, as security will be more mature and stronger. Device passwords should be changed immediately from the default, as any device can be infiltrated as soon as it is connected. If there are options relating to the security level, it isbest practice to use the strongest.
Software updates often contain security patches, so these should always be implemented. It is a good idea to allow the device to auto-update if possible, so that any essential updates are implemented as soon as they become available, reducing any window of exposure.
Not all IoT devices are fixed, with tablets and smartwatches being two examples. These should also be set up following best practice, and particular care should be exercised when connecting to unsecured public Wi-Fi networks, such as those found in coffee shops, hospitals and airports.
Summary
Botnets are more common than we may realize, and they will only increase in number as more people seek to maliciously exploit our connected world. We need to ensure that our legitimate networks are protected, and in the same way that we cannot always eradicate diseases but we vaccinate against them to lessen their impact, we must do the same with botnets.
If individuals, corporations and governments all play their part and implement the various good practices (many of which are simple) then, while botnets will remain, it is hoped that their impact can be significantly lessened.