In part one of MSSP Alert’s series on botnets, we delve into the nature of botnets and why MSSPs and MSPs are so concerned about them.
Botnets can lurk undetected in an organization’s computer network for years, covertly and maliciously poking and prodding with malware aimed at finding a vulnerability to potentially launch a full-scale cyberattack that will cripple IT systems, steal sensitive data and impose a ransom demand while demanding a business’ reputation.
Botnets have the ability to infect an entire IT network, be it software, applications or any type of device that even scratches the surface of digital technology. Botnets are the product of “bot-herder” (i.e., hacker) that either physically or mechanically sends the bot from their command-and-control servers to an unknowing recipient via file sharing, email, social media application protocols or via other bots as an intermediary.
When someone opens a malicious file on their computer, the bot reports back to command and control where the bot-herder can dictate commands to infected computers, Palo Alto Networks explains. In fact, bots can be updated by the bot-herder to change their entire functionality based on what he/she would like for them to do, and to adapt to changes and countermeasures by the target system.
Botnet Business Booming
Josh Smith, threat intelligence analyst for Nuspire, a Commerce, Michigan-based MSSP, believes that botnets don’t often receive the media attention that ransomware attacks do. Regardless, MSSPs, MSPs and the cybersecurity industry in general are keenly focused on botnets.
However — often much to their frustration — Nuspire’s customers are not always as aware of botnets as they should be, Smith said. Nor are their customers’ employees taking the appropriate measures to protect against bot intrusions.
“Botnets are quiet, sneaky and don’t make the headlines,” he said. “They get remediated. They get fixed. They get cleaned. But they're still a very big threat to organizations everywhere.”
According to Nuspire’s recently released 2023 Cyber Threat Report, botnets saw a 25% year-over-year increase in activity, with the Torpig Mebroot botnet comprising 56% of all botnet detections in 2023. Nuspire reports a noticeable uptick in the activity of other botnets such as TorrentLocker, which quadrupled its activity in the fourth quarter of 2023. The report documents a 187% explosion in exploit activity for the year, sustained by the widespread use of Secure Shell (SSH) brute forcing and a marked rise in the use of web server password file access.
"The rise of BlackBasta ransomware, the persistence of botnets like Torpig Mebroot and the shift in exploit tactics all underscore the adaptability of threat actors.” said J.R. Cunningham, chief security officer at Nuspire. “What we're seeing is not just an increase in activity, but a refinement of methods.”
Jim Broome, president and chief technology officer at DirectDefense, an MSSP based in Denver, Colorado, explained that there are two classes of botnets: those that attack apps and those that attack humans through personal computers and tablets. The reality, says Broome, is that any time DirectDefense engages a new client, they might have no idea what they’re actually walking into.
“The problem is, you may inherit a legacy technology that is currently not adequate enough to protect against either current generation or last generation's antivirus or botnet persistence,” Broome said. “You are constantly coaching the customer that they need to install the new stuff (i.e. cybersecurity technologies).”
Smith notes that Nuspire’s threat intelligence teams have encountered botnets, like Andromeda, dating back to roughly 2015, and are still prevalent today. Frankly, botnets are a cybercrime business model that’s not going away any time soon.
“For example, a botnet could be collecting banking credentials, and they're going to resell that to ransomware operators,” Smith said. “Or, the botnet operators get enough devices and decide, hey, we're just going to sell this whole chunk of devices to ransomware gang X. And they purchase it and give them backdoor access and let them do whatever they want at that point.”
Case in point, bots and fake accounts spread misinformation about First Republic Bank, triggering the withdrawal of $100 billion in deposits and driving the share price down until it became the second-biggest bank failure in U.S. history last year.
The China-backed Volt Typhoon botnet recently raised eyebrows among a collection of U.S. Government agencies, as the Cybersecurity & Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) issued a warning to critical infrastructure agencies of potential cyberattacks. In their joint advisory, the agencies said that Volt Typhoon may have been lurking in some IT environments for up to five years. For further insight about Volt Typhoon, read MSSP Alert’s recent coverage.
Low Risk, High Reward
Botnet operators don't necessarily want to be the ones in the headlines and drawing the ire of law enforcement, like some of the ransomware gangs do when they make a really big attack, such as the attack against MGM Resorts in 2023, Smith explained.
“That gets a lot of attention,” he said. “So, it's easier to sit in the background and build an entire initial access network. Maybe you're selling it for a dime on the dollar, but hey, you're staying out of the spotlight and you're making money.”
The truth is you don't have to be a sophisticated coder anymore to be able to launch a botnet attack. The botnet or malware creator will actually lease it to someone to carry out an attack.
“They'll give you tech support behind it too and tell you why your botnet's not running properly,” Smith said.
Coming next: MSSP Alert examines the technologies and tactics MSSPs and MSPs use to spot and stop botnets.
