We are surrounded by technology: at home, on the street, at work. They are literally in our hands - smartphones and tablets. Digitalization has taken away a piece of the real world from us, but in return it has given us almost limitless opportunities in the virtual world. Thanks to these opportunities, fraudsters operate on the network, who use a special tool - botnets - to organize malicious attacks on sites and systems .
We will tell you what this is and how it happens in this article, and also give examples of the largest attacks in recent times.
Contents
1. What is a botnet attack?
2. 5 Types of Botnet Attacks
2.1 Brute Force Attacks
2.2 Distributed Denial of Service (DDoS) Attacks
2.3. Spam and Phishing
2.4. Locking the device
2.5. Clicking
3. Examples of the most famous botnet attacks
3.1. Meris
3.2. Trickbot
3.3. Mirai
3.4. Gafgyt
3.5. Storm
4. Cyber war between Ukraine and Russia
4.1. Anonymous
4.2. 4 cyber attacks on large agricultural enterprises in Russia
4.3. Attack on State Services
5. How to protect yourself from botnet attacks
The word botnet is a derivative of two words: robot and net, i.e. "network of robots". It is a group of devices infected with malware, controlled by an operator. An important condition is that the devices must be connected to the Internet. These can be routers, smartphones, kettles, switches and boilers. In general, any devices with access to the Internet.
Hacked devices are used by cybercriminals to launch attacks that disrupt services and gain unauthorized access to other systems. A botnet attack is a large-scale, remotely controlled cyber attack. The operator launches and controls the process, and the robots, or infected devices, perform the task.
Typically, malware infects one device at a time, but in large quantities. This is what gives botnets their power. When organizing attacks, the attacker can perform several actions on different devices at the same time, which makes them difficult to block.
This is the most common method in which cybercriminals actively use botnets. And for good reason, because it is very effective. DDoS attacks are carried out using compromised, that is, infected, devices: computers, phones, IoT devices.
If the attack is successful, the attacker can use phishing to gain access to more devices and expand the botnet.
First, the device (usually a phone) is infected with malware. Then the malware deletes its contents, including traces of the attack. As a result, the phone simply turns into a "brick", that is, its normal functioning is blocked by some cyclic or static process: endless loading, freezing on one screen, a page with a splash screen when turning on/off, a black or white screen of death.
If we talk about CPM advertising, that is, with payment for a thousand impressions, then here cybercriminals artificially inflate views. As, for example, the operators of the DrainerBot botnet did.
In both cases, attackers use bots - devices infected with malware, the operating principle of which we described above.
The same report also stated that:
A cybercrime report from LexisNexis Risk Solutions found that botnet attacks spiked in the first half of 2021, up 41%. Another report from FortiGuard Labs found that around the same time, the percentage of organizations that were attacked jumped from 35% to 51%.
Bot attacks are becoming more common and sophisticated, with some of them raising international concern and making headlines in mainstream media.
The malware used not just infected Internet of Things (IoT) devices, but specialized high-performance equipment. According to Yandex estimates, more than 200,000 devices were compromised and used for the attack.
The botnet was expanded with infected devices using the Glupteba virus. The hacking method was a brute force attack: SSH password selection, as well as exploitation of the vulnerability in RouterOS CVE-2018-14847.
Most of the infected devices were located in Asian and South American countries - Bangladesh, Brazil, India, Indonesia, Iraq, Cambodia, Colombia, China, as well as Europe and North America - Russia, Poland, the USA, Ukraine and dozens of other countries.
Yandex managed to repel the attack. It did not affect the functionality of the services.
In the fall of 2020, a large-scale special operation was carried out to eliminate one of the largest botnets, TrickBot. It involved law enforcement agencies, specialists from the Microsoft Defender team, the non-profit organization FS-ISAC, as well as ESET, Lumen, NTT and Symantec.
Experts from leading computer and antivirus programs and their partners managed to collect more than 125 thousand samples of the TrickBot botnet, 40 thousand configuration files and 28 individual plugins. They conducted a full analysis of all contents, extracting and mapping information about the internal workings of the malware, including the servers used to manage infected machines and service additional modules.
After all the data had been collected, Microsoft representatives filed a lawsuit asking the company to transfer control over the servers of this malware.
Now, the Trickbot botnet can scan the target system's UEFI/BIOS firmware for vulnerabilities, making it a powerful and adaptable threat.
Experts believe that this malware was behind a large-scale DDoS attack on the servers of the hosting provider and domain registrar Dyn in October 2016, which led to its temporary blocking. The attack used 100,000 infected IoT devices.
Although the network was exposed and partially dismantled, it still poses a serious threat in the digital environment as new variants of the botnet continue to emerge.
According to Kaspersky Lab experts, the number of attacks on Internet of Things devices increased in the first half of 2022 and grew by 40%. The main culprits of infection and distribution are Mirai, Gafgyt and NyaDrop malware. Among the devices attacked by malware, CCTV cameras and routers are in the lead.
A number of Storm servers were taken offline in 2008. Its activity slowed down and the botnet is now believed to be inactive.
Russian government websites and Internet provider servers were also attacked. Among the state resources, the victims were the websites of Roskomnadzor, the Pension Fund of Russia (PFR), the Federal Antimonopoly Service (FAS) and information resources of Crimea. Large companies were not left out either: Norilsk Nickel, Lukoil, Gazprom and Yandex.
In addition, hackers attacked the websites of Belarusian and Russian media outlets: Fontanka, Kommersant, Izvestia, Mel, TASS. They posted messages calling for an end to the special operation in Ukraine.
However, the Russian hacker group Killnet responded with an attack on the Anonymous group's website. A few days after Anonymous announced an upcoming attack on official Russian resources, the Anonymous website suddenly stopped working.
“Don’t be afraid, Russia, no one and nothing can threaten you,” Killnet wrote in the appeal.
2nd attack. On March 18, Miratorg structures were attacked by hackers who introduced a ransomware virus into their Microsoft operating system. As a result, the document flow of 15 enterprises suffered, as the virus encrypted the disk space of the servers. The issuance of veterinary and transport documents was stopped.
3rd attack. On March 24, the structures of the Tavr product holding in the Rostov region were attacked. A virus was also introduced into the enterprise system, which affected the issuance of certificates and 1C. After investigations, the company installed additional protection against cyber threats.
4th attack. On April 2, cybercriminals attacked the Mercury system. The servers were able to remain operational only after disabling data verification with VetIS.
Staff training
Educate your company's employees and partners about the risks associated with botnet attacks in general and phishing in particular.
New devices
Add new devices to your network only after you've verified that they meet your organization's security standards.
Software
Make sure you are using the latest version of your software or device. Check for updates regularly. The main purpose of these updates is to eliminate vulnerabilities that could be exploited by attackers to infiltrate your system.
Credentials
Change your login credentials on all your devices regularly.
Limit access to your devices
Ensure that access to important areas of your organization's system is restricted to authorized personnel only.
We will tell you what this is and how it happens in this article, and also give examples of the largest attacks in recent times.
Contents
1. What is a botnet attack?
2. 5 Types of Botnet Attacks
2.1 Brute Force Attacks
2.2 Distributed Denial of Service (DDoS) Attacks
2.3. Spam and Phishing
2.4. Locking the device
2.5. Clicking
3. Examples of the most famous botnet attacks
3.1. Meris
3.2. Trickbot
3.3. Mirai
3.4. Gafgyt
3.5. Storm
4. Cyber war between Ukraine and Russia
4.1. Anonymous
4.2. 4 cyber attacks on large agricultural enterprises in Russia
4.3. Attack on State Services
5. How to protect yourself from botnet attacks
What is a Botnet Attack
Before we talk about the recent bot attacks, let's find out what a botnet is in principle.The word botnet is a derivative of two words: robot and net, i.e. "network of robots". It is a group of devices infected with malware, controlled by an operator. An important condition is that the devices must be connected to the Internet. These can be routers, smartphones, kettles, switches and boilers. In general, any devices with access to the Internet.
Hacked devices are used by cybercriminals to launch attacks that disrupt services and gain unauthorized access to other systems. A botnet attack is a large-scale, remotely controlled cyber attack. The operator launches and controls the process, and the robots, or infected devices, perform the task.
Typically, malware infects one device at a time, but in large quantities. This is what gives botnets their power. When organizing attacks, the attacker can perform several actions on different devices at the same time, which makes them difficult to block.
5 Types of Botnet Attacks
There are several types of attacks that attackers use such networks for, and their complexity increases year by year. Here are the five most common types:Brute force attacks
As the name suggests, this is an “aggressive” type of botnet attack used by attackers when they do not know any of their target’s passwords. This method works on the principle of rapid password guessing. The malware attacks the compromised system with a stream of password attempts until the correct one is guessed.Distributed Denial of Service (DDoS) Attacks
A DDoS attack is designed to disrupt a server, service, or network. To do this, the attacker sends a large amount of Internet traffic and overloads the server. Organic traffic stops due to the overload, and eventually the entire system shuts down.This is the most common method in which cybercriminals actively use botnets. And for good reason, because it is very effective. DDoS attacks are carried out using compromised, that is, infected, devices: computers, phones, IoT devices.
Spam and Phishing
Sending spam via email not with a malicious attachment, but with a link to a phishing site. As a rule, these are mailings of the type "you have won a million rubles", "get a promo code", "free subscription", etc. The ultimate goal of such a botnet attack is the theft of personal and payment data. First of all, the victims are employees of large companies working with confidential information.If the attack is successful, the attacker can use phishing to gain access to more devices and expand the botnet.
Device lock
The term “bricking” is commonly used to describe a device that can no longer be used because it is damaged beyond repair. Botnet attacks aimed at bricking devices typically occur in several stages.First, the device (usually a phone) is infected with malware. Then the malware deletes its contents, including traces of the attack. As a result, the phone simply turns into a "brick", that is, its normal functioning is blocked by some cyclic or static process: endless loading, freezing on one screen, a page with a splash screen when turning on/off, a black or white screen of death.
Clickbaiting
Click fraud is the process of intentionally and repeatedly clicking on an advertisement in order to spend the advertising budget and inflate the performance. This is one of the methods of advertising fraud (ad fraud).If we talk about CPM advertising, that is, with payment for a thousand impressions, then here cybercriminals artificially inflate views. As, for example, the operators of the DrainerBot botnet did.
In both cases, attackers use bots - devices infected with malware, the operating principle of which we described above.
Examples of the most famous botnet attacks
According to Imperva's 2021 Malicious Bots Report, malicious bots accounted for 25.6% of traffic in 2020. Less than 60% of traffic was human, while 15.2% of traffic was beneficial bots.The same report also stated that:
- The industries most affected by malware were telecommunications and ISPs with 45.7% of bot traffic, followed by IT with 41.1%. Sports, news, and B2B were also the target of increased attention from attackers.
- Advanced ("smart") bots accounted for 57.1% of malicious traffic.
- Botnet attacks most often target mobile devices, which accounted for 28.1% of malicious bot requests.
A cybercrime report from LexisNexis Risk Solutions found that botnet attacks spiked in the first half of 2021, up 41%. Another report from FortiGuard Labs found that around the same time, the percentage of organizations that were attacked jumped from 35% to 51%.
Bot attacks are becoming more common and sophisticated, with some of them raising international concern and making headlines in mainstream media.
Mary
In September 2021, the largest DDoS attack in the history of the Internet hit Yandex servers. It was assigned level 7. Its power was 21.8 million RPS. According to experts, the source was the new botnet Mēris, which means "plague".The malware used not just infected Internet of Things (IoT) devices, but specialized high-performance equipment. According to Yandex estimates, more than 200,000 devices were compromised and used for the attack.
The botnet was expanded with infected devices using the Glupteba virus. The hacking method was a brute force attack: SSH password selection, as well as exploitation of the vulnerability in RouterOS CVE-2018-14847.
Most of the infected devices were located in Asian and South American countries - Bangladesh, Brazil, India, Indonesia, Iraq, Cambodia, Colombia, China, as well as Europe and North America - Russia, Poland, the USA, Ukraine and dozens of other countries.
Yandex managed to repel the attack. It did not affect the functionality of the services.
Trickbot
The rise in botnet threats in the first half of 2021 is partly due to the “return” of the Trickbot malware. The software was supposedly disabled in 2020 but has resurfaced with new capabilities.In the fall of 2020, a large-scale special operation was carried out to eliminate one of the largest botnets, TrickBot. It involved law enforcement agencies, specialists from the Microsoft Defender team, the non-profit organization FS-ISAC, as well as ESET, Lumen, NTT and Symantec.
Experts from leading computer and antivirus programs and their partners managed to collect more than 125 thousand samples of the TrickBot botnet, 40 thousand configuration files and 28 individual plugins. They conducted a full analysis of all contents, extracting and mapping information about the internal workings of the malware, including the servers used to manage infected machines and service additional modules.
After all the data had been collected, Microsoft representatives filed a lawsuit asking the company to transfer control over the servers of this malware.
Now, the Trickbot botnet can scan the target system's UEFI/BIOS firmware for vulnerabilities, making it a powerful and adaptable threat.
Mirai
Mirai is another botnet that has become a threat to advertisers and website owners in 2021. This malware, the source code of which became freely available in 2016, is focused on infecting Internet of Things devices. Based on them, it launches DDoS attacks on the end targets. In addition, it was used for click fraud advertising.Experts believe that this malware was behind a large-scale DDoS attack on the servers of the hosting provider and domain registrar Dyn in October 2016, which led to its temporary blocking. The attack used 100,000 infected IoT devices.
Although the network was exposed and partially dismantled, it still poses a serious threat in the digital environment as new variants of the botnet continue to emerge.
Gafgyt
This malware is very similar to Mirai. It is also used to create a botnet and launch DDoS attacks. Gafgyt has been known since 2014, and like Mirai, its source code was made publicly available in 2015. Recent attacks have been caused by Gafgyt variants that target IoT devices.According to Kaspersky Lab experts, the number of attacks on Internet of Things devices increased in the first half of 2022 and grew by 40%. The main culprits of infection and distribution are Mirai, Gafgyt and NyaDrop malware. Among the devices attacked by malware, CCTV cameras and routers are in the lead.
Storm
The Storm botnet made headlines back in 2007. The network was controlled by a handful of servers and consisted of 1 million infected computers. It could be rented to commit a variety of cybercrimes, from DDoS attacks to digital theft.A number of Storm servers were taken offline in 2008. Its activity slowed down and the botnet is now believed to be inactive.
Cyberwar between Ukraine and Russia
Ukrainian and Russian hackers have regularly carried out and continue to carry out attacks of varying levels of complexity on companies around the world. And now, in light of the current situation, they have declared war on each other.Anonymous
The hacker group Anonymous declared a cyber war against Russia. They wrote about it on their Twitter account on the night of February 25. It is assumed that the website of the state television channel RT, which was attacked following this statement, correlates with their previous statement.Russian government websites and Internet provider servers were also attacked. Among the state resources, the victims were the websites of Roskomnadzor, the Pension Fund of Russia (PFR), the Federal Antimonopoly Service (FAS) and information resources of Crimea. Large companies were not left out either: Norilsk Nickel, Lukoil, Gazprom and Yandex.
In addition, hackers attacked the websites of Belarusian and Russian media outlets: Fontanka, Kommersant, Izvestia, Mel, TASS. They posted messages calling for an end to the special operation in Ukraine.
However, the Russian hacker group Killnet responded with an attack on the Anonymous group's website. A few days after Anonymous announced an upcoming attack on official Russian resources, the Anonymous website suddenly stopped working.
“Don’t be afraid, Russia, no one and nothing can threaten you,” Killnet wrote in the appeal.
4 cyber attacks on large agricultural enterprises in Russia
1st attack. On February 26, hackers attacked the Selyatino agrohub in the Moscow region. The attackers hacked the main controller, through which the refrigeration units are controlled, and changed the temperature regime from -24° C to +30° C. The hack in the warehouse, where 40 tons of frozen meat and fish were stored, was not immediately discovered.2nd attack. On March 18, Miratorg structures were attacked by hackers who introduced a ransomware virus into their Microsoft operating system. As a result, the document flow of 15 enterprises suffered, as the virus encrypted the disk space of the servers. The issuance of veterinary and transport documents was stopped.
3rd attack. On March 24, the structures of the Tavr product holding in the Rostov region were attacked. A virus was also introduced into the enterprise system, which affected the issuance of certificates and 1C. After investigations, the company installed additional protection against cyber threats.
4th attack. On April 2, cybercriminals attacked the Mercury system. The servers were able to remain operational only after disabling data verification with VetIS.
Attack on State Services
On June 23, the department's Telegram channel reported a large-scale cyberattack organized by Ukraine on the servers of the state service "Gosuslugi". At peak moments, the load reached 340 thousand RPS. The hackers' goal was to suspend the provision of socially significant services to the Russian population.How to protect yourself from botnet attacks
The best way to deal with cyber attacks is to prevent them. Recovering from a botnet attack is likely to be difficult and expensive. Recent events have shown that prevention is better than cure. Here are some tips on how to keep your system secure:Staff training
Educate your company's employees and partners about the risks associated with botnet attacks in general and phishing in particular.
New devices
Add new devices to your network only after you've verified that they meet your organization's security standards.
Software
Make sure you are using the latest version of your software or device. Check for updates regularly. The main purpose of these updates is to eliminate vulnerabilities that could be exploited by attackers to infiltrate your system.
Credentials
Change your login credentials on all your devices regularly.
Limit access to your devices
Ensure that access to important areas of your organization's system is restricted to authorized personnel only.
