Botnets act as a force multiplier for individual attackers, cyber-criminal groups and nation-states looking to disrupt or break into their targets’ systems. By definition, they are a collection of any type of internet-connected device that an attacker has compromised. Commonly used in distributed denial of service (DDoS) attacks, botnets can also take advantage of their collective computing power to send large volumes of spam, steal credentials at scale, or spy on people and organizations.
Malicious actors build botnets by infecting connected devices with malware and then managing them using a command and control server. Once an attacker has compromised a device on a specific network, all the vulnerable devices on that network are at risk of being infected.
A botnet attack can be devastating. In 2016, the Mirai botnet shut down major swathes of the internet, including Twitter, Netflix, CNN and other major sites, as well as major Russian banks and the entire country of Liberia. The botnet took advantage of unsecured internet of things (IoT) devices such as security cameras, installing malware that then attacked the DYN servers that route internet traffic.
The industry woke up, and device manufacturers, regulators, telecom companies and internet infrastructure providers worked together to isolate compromised devices, take them down or patch them, and make sure that a botnet like could never be built again.
Just kidding. None of that happened. Instead, the botnets just keep coming.
Even the Mirai botnet is still up and running. According to a report released by Fortinet in August 2018, Mirai was one of the most active botnets in the second quarter of this year.
Since the release of its source code two years ago, Mirai botnets have even added new features, including the ability to turn infected devices into swarms of malware proxies and cryptominers. They’ve also continued to add exploits targeting both known and unknown vulnerabilities, according to Fortinet.
In fact, cryptomining is showing up as a significant change across the botnet universe, says Tony Giandomenico, Fortinet’s senior security strategist and researcher. It allows attackers to use the victim’s computer hardware and electricity to earn Bitcoin, Monero and other cryptocurrencies. “That’s the biggest thing that we’ve been experiencing over the past few months,” he says. “The bad guys are experimenting with how they can use IoT botnets to make money.”
Mirai is just the start. In fall 2017, Check Point researchers said they discovered a new botnet, variously known as “IoTroop” and “Reaper,” that’s compromising IoT devices at an even faster pace than Mirai did. It has the potential to take down the entire internet once the owners put it to work.
Mirai infected vulnerable devices that used default user names and passwords. Reaper goes beyond that, targeting at least nine different vulnerabilities from nearly a dozen different device makers, including major players like D-Link, Netgear and Linksys. It’s also flexible, in that attackers can easily update the botnet code to make it more damaging.
According to research by Recorded Future, Reaper was used in attacks on European banks this year, including ABN Amro, Rabobank and Ing.