How Organisations Can Mitigate Botnet Attacks

An extensive Chinese-backed botnet campaign that weaponised hundreds of thousands of internet-connected devices globally for various malicious actions has emphasised the importance of keeping software up-to-date and replacing products when they reach end-of-life. But as botnets continue to increase in number and sophistication, what else can organisations learn from this incident?

What Happened

In September, the UK’s National Cyber Security Centre (NCSC) and its partners in the United States, Australia, Canada, and New Zealand issued an advisory warning organisations about a China-linked botnet used to launch Distributed Denial of Service (DDoS) attacks, distribute malware, steal sensitive data, and conduct other malicious actions.

The botnet compromised more than 260,000 internet-connected devices in the Americas, Europe, Africa, Southeast Asia and Australia. These included routers, firewalls, webcams, CCTV cameras and other devices, many of which were left vulnerable to cybersecurity breaches due to being end-of-life or unpatched.

The advisory claims that a Chinese-based company called Integrity Technology Group, which is thought to have connections with the Chinese government, controlled and managed the botnet. Meanwhile, Chinese threat actor Flax Typhoon has been leveraging the botnet in malicious activities.

Those behind the malware used Mirai botnet code to hack into these devices and weaponise them for malicious activities. Mirai targets connected devices that run on the Linux operating system and was first spotted by cybersecurity researchers at MalwareMustDie in August 2016.

Ken Dunham, director of cyber threat at Qualys Threat Research Unit (TRU), describes Mirai as a “complex botnet system” used for cyber threat campaigns “related to inception, release of source code, and various changes in attacks and targets”. He adds: “Mirai continues to be a powerful botnet.”

Botnets aren’t a new phenomenon by any means. They have existed for almost two decades, explains Matt Aldridge, principal solutions consultant at IT security firm OpenText Cybersecurity. But he says instances of nation-states using malicious technologies like botnets are “a more recent development”.

The Main Causes

According to Sean Wright, head of application security at fraud detection specialists Featurespace, this latest botnet campaign infected such a large number of international devices for three main reasons.

Wright explains that the first issue is that many of these products had reached the end of their lifecycle, meaning their manufacturers were no longer issuing security updates. But he says there might have been cases where vendors just didn’t want to work on patches for security issues.

He says the second issue is that the firmware of IoT devices is “inherently insecure and full of security flaws, which makes them easily breachable. Finally, he says devices can become vulnerable to botnet attacks because the end user fails to implement software updates.

Wright adds, “They either are not familiar with how to, unaware of the updates and the risk, or simply choose not to. We see the end results of this time and again.”

Even if a product manufacturer regularly releases software updates and security patches, Aldridge of OpenText Cybersecurity explains that cyber criminals use reverse engineering to exploit security vulnerabilities and take control of connected devices as part of botnet campaigns.

Dunham of Qualys Threat Research Unit believes that the “diverse” nature of Mirai is a primary cause of this botnet, explaining that the malicious code uses several years’ worth of exploits to “quickly compromise vulnerable devices when timing is best” and to “maximise opportunities to spread” the malware.

Key Lessons

Given that many of these devices were unpatched, Aldridge of OpenText Cybersecurity says a clear lesson from this latest botnet campaign is that people should always keep their connected devices updated.

For Aldridge, another critical lesson is that organisations should properly configure devices before deploying them. He believes this is the key to ensuring the “maximum security” of connected devices. Aldridge explains: “If connections to a device are not enabled, it becomes extremely difficult to compromise, or even to discover that device.”

Wright of Featurespace recommends that organisations create a device and software inventory. By regularly monitoring product update feeds as part of this, he says organisations won’t miss the latest updates.

When purchasing devices, Wright advises organisations to ensure the manufacturer provides adequate support and clearly defines the lifespan of its products. And when a device is no longer eligible for support, Wright adds that organisations should replace them as quickly as possible.

Echoing similar thoughts to Wright, Dunham of Qualys Threat Research Unit (TRU) says it’s clear that organisations must develop and implement a succession plan that enables them to manage all forms of hardware and software risk “over time”.

“Ensure you have a rock solid CMDB [configuration management database] and inventory in place that you can trust, assets that are classified and known against it, and EOL is identified and managed via a company risk policy and plan,” he says. “Remove EOL and unsupported OS hardware and software from production to best reduce risk and attack surface.”

Other Steps To Take

Beyond regularly updating the software of connected devices, are there any other ways organisations can prevent botnets? OpenText Cybersecurity’s Aldridge believes so. He believes that organisations should also monitor their devices and systems for signs of irregular traffic and activities.

He also recommends segmenting networks and securing them using multiple protective layers, adding that these steps will “reduce the risk and limit the impact of a potential compromise.”

Wright of Featurespace agrees that organisations need to pay extra attention to their network security in order to mitigate botnets. He says tools like IPS (Intrusion Protection System) or IDS (Intrusion Detection System) will notify users of potential malicious activity and block it.

Dunham of Qualys Threat Research Unit (TRU) urges organisations to consider whether they have strong enough cyber defences to tackle botnets, such as zero-trust architecture. Dunham says these should be reinforced with continuous operations improvements by embracing purple learning, whereby organisations boost their cyber defences using both offensive and defensive approaches.

The Importance Of Industry Frameworks

Adopting an industry-recognised professional framework like ISO 27001 will also help organisations develop a broad and proactive cybersecurity approach to prevent botnets and other cyber threats at any time.

Wright of Featurespace explains that industry frameworks provide organisations with a benchmark and set of requirements that they can follow to shore up their cyber defences and lower cyber risk.

He adds: “This also helps potential customers have a greater degree of confidence that the appropriate security controls are in place.”

Aldridge of OpenText Cybersecurity says adhering to an industry framework should help organisations understand the processes and policies they must adopt to procure, deploy, monitor and dispose of devices securely.

Botnets can have severe consequences for victims, from data theft to DDoS attacks. And, if you’re failing to update your devices regularly or are using end-of-life products, there’s every chance a threat actor could be using one of your devices to conduct such nefarious actions.

But preventing this from happening isn’t just a case of reacting to threats as you hear about them; it requires a long-term commitment to cybersecurity, which can be simplified through industry frameworks.