Cybersecurity attacks can come in many forms and with various technical approaches. Breaches are constant among industry and government being targeted. One method of exploit used by criminal hackers can be deployed with devastating and widespread consequences, botnets.
Recently, the Federal Bureau of Investigation (FBI), disrupted a Botnet that was used by Russian Main Intelligence Directorate to inflict significant cyber damage. According to the US department of Justice, the FBI operation “Copied and Removed Malware Known as “Cyclops Blink” from the Botnet’s Command-And-Control Devices, Disrupting the GRU’s Control Over Thousands of Infected Devices Worldwide.” 1
Such orchestrated Botnet cyber-attacks are not new and have been going on for almost two decades, but they are proliferating and pose major threats. They are not only carried out by state sponsored intelligence actors, but also by organized criminal hacking groups. In fact, according to recent findings, Bot Net Application Interface attacks (API attacks) have “exploded in 2021 as malicious bots continued to invade the internet. Compared to last year’s data collection, there was an increase of 41% in attacks on Internet-connected systems. Media companies (up 174%) and financial services companies (683 million bot attacks) have seen increases in malicious bot attacks from January to June.” 2
What is a Botnet?
What exactly is a Botnet? A basic definition according to NIST Security Resource Center is states that the word “botnet” is formed from the word’s “robot” and “network.” And that Cyber criminals use special Trojan viruses to breach the security of several users’ computers, take control of each computer, and organize all the infected machines into a network of “bots” that the criminal can remotely manage. 3
In essence, botnets are part of a network controlled by hackers that can spread malware and/or ransomware to devices that can be self-perpetuating and destructive, much like a biological virus.
Reference source Technolopedia provides a more elaborate example of what a bot net can do. “A botnet is a group of computers connected in a coordinated fashion for malicious purposes. Each computer in a botnet is called a bot. These bots form a network of compromised computers, which is controlled by a third party and used to transmit malware or spam, or to launch attacks. A botnet may also be known as a zombie army.
Originally, botnets were created as a tool with valid purposes in Internet relay chat (IRC) channels. Eventually, hackers exploited the vulnerabilities in IRC networks and developed bots to perform malicious activities such as password theft, keystroke logging, etc.
An attacker will often target computers not safeguarded with firewalls and/or anti-virus software. A botnet manipulator can get control of a computer in a variety of ways, but most frequently does so via viruses or worms. Botnets are significant because they have become tools that both hackers and organized crime use to perform illegal activities online. For example, hackers use botnets to launch coordinated denial-of-service attacks, while organized crime uses botnets as ways to spam, or send a phishing attack that is then used for identity theft.” 4
Cyber expert Isa Oyekunle succinctly summarizes the why and how of using bots in cyber-attacks in his blog “What are Bots and Botnets”. He notes that cybercriminals use botnet assaults to accomplish a variety of tasks including: to gain access to financial and personal data, to overwhelm reputable web services, to extort funds from victims, to profit from zombie and botnet networks by selling access to other criminals, to employ scams involving cryptocurrency, to exploit backdoors created by viruses and worms, and to keep track of users’ keystrokes.
Mr. Oyekunle cites Phishing, Spambots, Bricking, Crypto jacking, Snooping, Distributed Denial-of-service (DDoS) attacks, and Brute force attacks as the types of bots and botnets that cybercriminals can utilize to carry out various assaults. 5
Unfortunately, there are plenty of tools available for criminal hackers to use and share, including for key logging to steal passwords, and the forementioned phishing attacks that can also be used to steal identities by impersonating companies. Hackers are also using botnets successfully for crypto mining stealing unsuspecting computers bandwidth and electricity. Many of these more pernicious botnet tools are sold openly and shared on the dark web and hacker forums.
Botnets are not only used for cyber-attacks, but they are also used for advertising, marketing, and for transactional business. For example, adware bots use advertisements to educate and attract potential buyers for brands or products. Botnets can also be used or “pay for click” to bring revenues to websites.
How Are Botnet Attacks Orchestrated?
The Cybersecurity firm CrowdStrike provides an excellent overview of the stages of creating a botnet and how it unfolds. They identify the stages as 1) Expose, 2) Infect and Grow, and 3) Activate.
CrowdStrike outlines a three step process:
“In stage 1, the hacker will find a vulnerability in either a website, application, or user behavior in order to expose users to malware. A bot herder intends for users to remain unaware of their exposure and eventual malware infection. They may exploit security issues in software or websites so that they can deliver malware through emails, drive-by downloads, or trojan horse downloads.
In stage 2, victims’ devices are infected with malware that can take control of their devices. The initial malware infection allows hackers to create zombie devices using techniques like web downloads, exploit kits, popup ads, and email attachments. If it’s a centralized botnet, the herder will direct the infected device to a C&C server. If it’s a P2P botnet, peer propagation begins, and the zombie devices seek to connect with other infected devices.
In stage 3, when the bot herder has infected a sufficient amount of bots, they can then mobilize their attacks. The zombie devices will then download the latest update from the C&C channel to receive its order. The bot then proceeds with its orders and engages in malicious activities. The bot herder can continue to remotely manage and grow their botnet to carry out various malicious activities. Botnets do not target specific individuals since the bot herder’s goal is to infect as many devices as possible so they can carry out malicious attacks.” 6
That three stage process as it is described is not overly complicated, but the tools and tactics used to spread the botnets can be sophisticated and formidable.
Our Growing Digital Connected World — Made For Botnets
There are dire implications of having devices and networks so digitally interconnected when it comes to bot nets. Especially when you have unpatched vulnerabilities in networks. The past decade has recorded many botnet cyber-attacks. Many who are involved in cybersecurity will recall the massive and high profile Mirai botnet DDoS attack in 2016. Mirai was an IoT botnet made up of hundreds of thousands of compromised IoT devices, It targeted Dyn—a domain name system (DNS) provider for many well-known internet platforms in a distributed denial-of-service (DDoS) attack. That DDoS attack sent millions of bytes of traffic to a single server to cause the system to shut down. The Dyn attacks leveraged Internet of Things devices and some of the attacks were launched by common devices like digital routers, webcams and video recorders infected with malware.
In 2018, a large botnet victimized the GitHub software development platform in one of largest DDoS attack ever recorded. That attack took the platform offline. There have been many other alarming high profile botnet attacks in the past few years. You can find a good historical list of botnet attacks at this link: List of Botnets | The Most Prevalent Botnets of Recent Years | Netacea | compiled by the cybersecurity firm Netacea.
With advances in artificial intelligence and machine learning, bot nets can now readily automate and rapidly expand cyber-attacks. There is also a growing Bot-as-a-Service being used by cyber-criminals to outsource attacks. And while there a variety of botnet options, DDoS type attacks are still considered the most common threat. That is a scary proposition for any company or government agency.
Fighting Back Against Botnets
The good news is that there are defenses available for companies to use that incorporate specialized bot protection tools that can detect and mitigate bot attacks.
Writing in US Cybersecurity Magazine, cybersecurity SME Vinugayathri Chinnasamy offers several pathways to combat bot. These include:
· Analysis of Bot Traffic: Before mitigation, it is crucial to analyze bots. Behavior and pattern analysis, coupled with real-time traffic alerts, allows you to detect bot attack traffic effectively. The approach looks at every visitor who enters an application and checks if they are who they say they are by cross-checking their signature behavior with a database.
· Apprehend the bot to block: Apprehend a bot’s true identity by reading its header information and stream of web requests with WAF to instantly block any malicious behavior.
· Utilize Bot Detector: Utilizing bot detecting tools, CAPTCHA libraries can be used to create and validate a variety of practical challenges to prevent downloads or spambots.” 7
One cybersecurity firm called HUMAN (About Us | HUMAN Security) has had a series of successes in stopping botnets in cooperation with law enforcement and industry. HUMAN has taken an aggressive collective approach using top line signature and behavioral detection techniques that builds on hacker intelligence. They synthesize that data with a real-time decision engine that combines technical evidence and machine learning to offer rapid and accurate ‘bot or not’ decisions that ensure human only interaction.
HUMAN’s uncovers, reverse engineers, and disrupts bot-driven threats to advertising, marketing, and cybersecurity. Examples include taking down PARETO—the most sophisticated CTV botnet ever found—in cooperation with Roku and Google; disrupting 3ve bringing together the FBI, Google, Facebook and many others in the industry; and the takedown of Methbot, which recently culminated in the self-proclaimed ‘King of Fraud’ responsible for the operation being sentenced to 10 years in prison.
Tamer Hassan, HUMAN’s CEO & Founder is confident that cyber botnet attacks can be mitigated. He says “Seventy seven percent of all cyber-attacks have a bot used somewhere in the attack cycle. The game is to use a botnet to look like a million humans. Bots are being used to do everything from vulnerability scanning, stealing sensitive information, account takeover, sniping and scalping products with limited inventory, manipulation of popularity, and multi- billion dollar fraud operations in advertising and media. Botnets have become a platform for cybercrime, used by most modern criminals. Protecting against these types of attacks requires a different approach, one based on modern defense, a set of strategies that increase the cost of the attack and lower the cost of defense. This changes the game and the odds to the side of the good, enabling us to defeat attackers. This is the only way to win.”
I concur with Tamer Hassan’s insights. Cybersecurity in general needs a newer and evolved set of strategies that includes threat intelligence, technical tools & expertise, advanced analytics, cost mitigation, and collaboration. Botnets are not going to go away. However, changing the approach to better enable “the side of good” will help keep us better prepared to defeat sinister threats before and when botnets attack.
References & Sources:
1) Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU) | OPA | Department of Justice
2) Are Businesses Prepared to Fight Bot Attacks on APIs? – United States Cybersecurity Magazine (uscybersecurity.net)
3) Botnet – Glossary | CSRC (nist.gov)
4) What is a Botnet? – Definition from Techopedia
5) What are Bots and Botnets? (securitygladiators.com)
6) What is a Botnet? | CrowdStrike
7) Are Businesses Prepared to Fight Bot Attacks on APIs? – United States Cybersecurity Magazine (uscybersecurity.net)
About The Author
Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. Chuck is also Adjunct Faculty at Georgetown University’s Graduate Applied Intelligence Program and the Graduate Cybersecurity Programs where he teaches courses on risk management, homeland security, and cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named as one of the world’s “10 Best Cyber Security and Technology Experts” by Best Rated, as a “Top 50 Global Influencer in Risk, Compliance,” by Thompson Reuters, “Best of The Word in Security” by CISO Platform, and by IFSEC and Thinkers 360 as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020, 2021, and 2022 Onalytica “Who’s Who in Cybersecurity” – as one of the top Influencers for cybersecurity. He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic, He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to FORBES. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.
India Banned TikTok In 2020. TikTok Still Has Access To Years Of Indians’ Data.
NVIDIA cuLitho Computational Lithography Massively Accelerates Chip Design Using GPUs
What Is Quantum Memory And What Is It Good For?