Threat actors use botnets — networks of infected computers or devices — for various cybercriminal purposes, most significantly distributed denial-of-service (DDoS) attacks against predefined targets. Today, botnets with DDoS capabilities are even for sale on the Dark Web. In March 2016, our IBM report, “The Inside Story on Botnets,” explored the botnet cybercrime landscape. How has this threat evolved?

Tracking the Weaponization of IoT

One of the most important changes, the rising use of compromised Internet of Things (IoT) devices in botnet operations, is the focus of our latest report, “The Weaponization of IoT Devices.” The IBM X-Force team has been tracking the threat from weaponized IoT devices, also known as thingbots. In the report, we examined several 2016 attacks and the motivations behind them.

Most notably, we reported on the use of the Mirai botnet in several publicly disclosed DDoS attacks, as well as the exponential increase in the bandwidth involved in those attacks. In June 2016, one of these attacks peaked at around 400 Gbps. In the months following, the threat from thingbots grew substantially.

In October 2016, reports of an IoT DDoS botnet attack against a different target revealed an approximately 200 percent size increase over the attack reported in June. X-Force also observed a rise in attacks from a new variant of the ELF Linux/Mirai malware that, in addition to traditional DDoS capabilities, also contains a bitcoin mining component.

Additionally, our analysis of port metrics obtained through a darknet — a block of IP addresses that should not receive any connection requests — revealed significant increases of scanning on TCP ports 23, 2323 and 7547 throughout the end of 2016. These ports are associated with the Mirai botnet, which scans them looking for vulnerable IoT devices.

An Evolving Threat

DDoS attacks have evolved over time. The weaponization of IoT devices into attacking DDoS botnets is simply the latest trend, the current “thing” from which to create an army of bots.

A recent report from Incapsula illustrated how this threat is not diminishing any time soon. One of its customers, a U.S. college, suffered a massive DDoS attack in February 2017 that lasted more than two days. According to the report, analysts believed that the perpetrators used new version of the Mirai malware that was “modified to launch more elaborate application layer attacks.” Interestingly, DVRs manufactured by the same vendor made up 56 percent of all IPs used in the attack.

A DDoS Arms Race

There are several drivers underlying a majority of issues with IoT. As DDoS attacks have become more potent and more common, we have witnessed a parallel proliferation of DDoS mitigation services, an arms race of sorts.

Whether it’s a computer, mobile device or appliance, anything connected to the internet could become subject to attack. The proliferation of IoT devices will accelerate substantially — they are expected to account for more than two-thirds of the 34 billion connected devices projected by 2020.

It is vital that organizations and consumers look to implement IoT security best practices. Refer to the report to find out how to prevent your IoT device from becoming part of a massive botnet.

Read the complete X-Force Research report Now: The Weaponization of IoT

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today