Threat actors use botnets — networks of infected computers or devices — for various cybercriminal purposes, most significantly distributed denial-of-service (DDoS) attacks against predefined targets. Today, botnets with DDoS capabilities are even for sale on the Dark Web. In March 2016, our IBM report, “The Inside Story on Botnets,” explored the botnet cybercrime landscape. How has this threat evolved?

Tracking the Weaponization of IoT

One of the most important changes, the rising use of compromised Internet of Things (IoT) devices in botnet operations, is the focus of our latest report, “The Weaponization of IoT Devices.” The IBM X-Force team has been tracking the threat from weaponized IoT devices, also known as thingbots. In the report, we examined several 2016 attacks and the motivations behind them.

Most notably, we reported on the use of the Mirai botnet in several publicly disclosed DDoS attacks, as well as the exponential increase in the bandwidth involved in those attacks. In June 2016, one of these attacks peaked at around 400 Gbps. In the months following, the threat from thingbots grew substantially.

In October 2016, reports of an IoT DDoS botnet attack against a different target revealed an approximately 200 percent size increase over the attack reported in June. X-Force also observed a rise in attacks from a new variant of the ELF Linux/Mirai malware that, in addition to traditional DDoS capabilities, also contains a bitcoin mining component.

Additionally, our analysis of port metrics obtained through a darknet — a block of IP addresses that should not receive any connection requests — revealed significant increases of scanning on TCP ports 23, 2323 and 7547 throughout the end of 2016. These ports are associated with the Mirai botnet, which scans them looking for vulnerable IoT devices.

An Evolving Threat

DDoS attacks have evolved over time. The weaponization of IoT devices into attacking DDoS botnets is simply the latest trend, the current “thing” from which to create an army of bots.

A recent report from Incapsula illustrated how this threat is not diminishing any time soon. One of its customers, a U.S. college, suffered a massive DDoS attack in February 2017 that lasted more than two days. According to the report, analysts believed that the perpetrators used new version of the Mirai malware that was “modified to launch more elaborate application layer attacks.” Interestingly, DVRs manufactured by the same vendor made up 56 percent of all IPs used in the attack.

A DDoS Arms Race

There are several drivers underlying a majority of issues with IoT. As DDoS attacks have become more potent and more common, we have witnessed a parallel proliferation of DDoS mitigation services, an arms race of sorts.

Whether it’s a computer, mobile device or appliance, anything connected to the internet could become subject to attack. The proliferation of IoT devices will accelerate substantially — they are expected to account for more than two-thirds of the 34 billion connected devices projected by 2020.

It is vital that organizations and consumers look to implement IoT security best practices. Refer to the report to find out how to prevent your IoT device from becoming part of a massive botnet.

Read the complete X-Force Research report Now: The Weaponization of IoT

more from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…