Threat actors use botnets — networks of infected computers or devices — for various cybercriminal purposes, most significantly distributed denial-of-service (DDoS) attacks against predefined targets. Today, botnets with DDoS capabilities are even for sale on the Dark Web. In March 2016, our IBM report, “The Inside Story on Botnets,” explored the botnet cybercrime landscape. How has this threat evolved?

Tracking the Weaponization of IoT

One of the most important changes, the rising use of compromised Internet of Things (IoT) devices in botnet operations, is the focus of our latest report, “The Weaponization of IoT Devices.” The IBM X-Force team has been tracking the threat from weaponized IoT devices, also known as thingbots. In the report, we examined several 2016 attacks and the motivations behind them.

Most notably, we reported on the use of the Mirai botnet in several publicly disclosed DDoS attacks, as well as the exponential increase in the bandwidth involved in those attacks. In June 2016, one of these attacks peaked at around 400 Gbps. In the months following, the threat from thingbots grew substantially.

In October 2016, reports of an IoT DDoS botnet attack against a different target revealed an approximately 200 percent size increase over the attack reported in June. X-Force also observed a rise in attacks from a new variant of the ELF Linux/Mirai malware that, in addition to traditional DDoS capabilities, also contains a bitcoin mining component.

Additionally, our analysis of port metrics obtained through a darknet — a block of IP addresses that should not receive any connection requests — revealed significant increases of scanning on TCP ports 23, 2323 and 7547 throughout the end of 2016. These ports are associated with the Mirai botnet, which scans them looking for vulnerable IoT devices.

An Evolving Threat

DDoS attacks have evolved over time. The weaponization of IoT devices into attacking DDoS botnets is simply the latest trend, the current “thing” from which to create an army of bots.

A recent report from Incapsula illustrated how this threat is not diminishing any time soon. One of its customers, a U.S. college, suffered a massive DDoS attack in February 2017 that lasted more than two days. According to the report, analysts believed that the perpetrators used new version of the Mirai malware that was “modified to launch more elaborate application layer attacks.” Interestingly, DVRs manufactured by the same vendor made up 56 percent of all IPs used in the attack.

A DDoS Arms Race

There are several drivers underlying a majority of issues with IoT. As DDoS attacks have become more potent and more common, we have witnessed a parallel proliferation of DDoS mitigation services, an arms race of sorts.

Whether it’s a computer, mobile device or appliance, anything connected to the internet could become subject to attack. The proliferation of IoT devices will accelerate substantially — they are expected to account for more than two-thirds of the 34 billion connected devices projected by 2020.

It is vital that organizations and consumers look to implement IoT security best practices. Refer to the report to find out how to prevent your IoT device from becoming part of a massive botnet.

Read the complete X-Force Research report Now: The Weaponization of IoT

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today