Thought leadership. Threat analysis. Cybersecurity news and alerts.
Is Network-Level Blocking the Right Solution to Limiting Botnet Traffic?
The Government of Canada, through the Canadian Radio-television and Telecommunications Commission, recently called on stakeholders to comment on its proposal to develop a network-level blocking framework that will limit the harm botnets cause to Canadians.
In the "Call for comments – Development of a network-level blocking framework to limit botnet traffic and strengthen Canadians’ online safety," the Commission said it’s the principal enforcement agency for the Personal Information Protection and Electronic Documents Act and the Telecommunications Act – Canada’s Anti-Spam Legislation, also known as CASL. “Botnet activity is by definition a CASL violation, as is the botnet itself,” the Commission said. “One way that TSPs [telecommunications service providers] can limit anti-CASL behaviour is by blocking botnet traffic.”
What Are Botnets?
Botnets are networks of hijacked computers that are infected by malicious software (malware). One way by which this malware arrives on the hijacked computer is through phishing – a type of cyberattack in which the attacker masquerades as a trusted entity and tricks an email receiver to click on a malicious attachment or link.
Clicking this malicious attachment or link could lead to the downloading and running of malware on the email recipient’s computer. Once the malware is inside the victim’s computer, it contacts the attacker’s command and control center, allowing the attacker to control the malware-infected computer and using it to commit cybercrimes such as further phishing campaigns, credential stuffing, ransomware, or distributed denial-of-service (DDoS).
According to Commission, botnets are the basis for an increasingly large proportion of cyber threats to individuals, corporations, and institutions in Canada.
In mid-March this year, Canada Revenue Agency (CRA) announced that it locked out 800,000 CRA user IDs and passwords as they may have been obtained by unauthorized third parties or have been identified as being available to unauthorized individuals.
CRA said, “We wish to reiterate that these user IDs and passwords were not compromised as a result of a breach of CRA’s online systems, rather they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA, such as email phishing schemes or third party data breaches.”
In August 2020, the Government of Canada, through the Treasury Board of Canada Secretariat, reported that attackers fraudulently accessed nearly 5,500 CRA accounts. In a press conference in August 2020, Marc Brouillard, acting Chief Technology Officer for the Treasury Board of Canada Secretariat said that at one point, the CRA web portal was attacked by a large amount of traffic using a "botnet to attempt to attack the services through credential stuffing".
Credential stuffing, also known as account takeover, uses a large number of stolen username and password combinations from other websites and tests these stolen credentials to login to a target website. Credential stuffing are launched through botnets and across different IP addresses.
Network-Level Blocking Framework Proposal
The Commission proposes that telecommunications service providers can introduce network-level blocking using a variety of techniques such as domain-based blocking, Internet Protocol (IP)-based blocking, and protocol-based blocking.
“Internet users access websites by clicking on links or by entering domains (www.example.com) into a browser,” Commission said. “To access a webpage, the domain has to first be translated into the IP address of the server that hosts the webpage. This translation happens through the Domain Name System (DNS), which maps domain names to IP addresses. Once the IP address is found, the Internet user’s device can then route communication to the website’s server and download the webpage.”
In domain-based blocking when an infected device requests a blocklisted command and control domain, the DNS will either reply that the domain is unknown or will redirect the user to a site stating that the requested domain isn’t permitted.
In IP-based blocking, a firewall is used to prevent communication to the IP addresses of suspected command and control servers while letting other communication through. Protocol-based blocking, meanwhile, refers to a targeted form of IP-based blocking limited to a select group of services on a specified server.
In its reply to the network-level blocking framework proposal, the Royal Canadian Mounted Police (RCMP) said it supports the Commission’s proposal as “criminal botnet operations and infrastructure continues to underpin various cybercrime threats, such as ransomware, Distributed Denial of Service (DDoS) attacks, campaign-level phishing activities, among other cyber intrusions.”
RCMP said that in 2016, it took part in a global effort to dismantle the network called “Avalanche,” which included a botnet infrastructure that facilitated the widespread malware attacks targeting financial institutions and other sectors. RCMP said that the dismantlement of the Avalanche network, which spread across 30 countries, resulted in multiple arrests, seizures of command and control server infrastructure, and over 800,000 domains were seized, sinkholed, or blocked.
In response to the Commission’s proposal, Bell Canada said, “There is no one-size-fits-all detection and mitigation method.” It added that once the Commission approves one type of blocking “malicious actors can be expected to change their techniques and implement new botnet strategies to evade the regulated mandatory form of blocking.”
In response to the Commission’s proposal, Rogers Communications said, “Blocking of botnet traffic is a highly technical matter that requires in-depth security intelligence.” It added that the “proposal for a single network blocking framework is not the best approach to tackle cyber crime.”
Telus Communications, for its part, said, “The Commission’s proposal to focus on TSPs in an effort to limit botnets is a narrow approach that, absent other stakeholder action, will be ineffective.” It added that network-level blocking is a “reactive measure – it is not implemented until malicious traffic is detected from an already
Mozi Botnet Accounts for 90% of Traffic to and from IoT Devices, IBM Report Shows
Researchers at IBM recently reported that 90% of traffic to and from all internet of things (IoT) devices comes from the botnet called “Mozi”.
What Is a Botnet?
A botnet, also known as “zombie army”, is a group of hijacked computers, including IoT devices. These hijacked computers are each infected with malicious software (malware) for the purpose of controlling these computers from a remote location without the knowledge of the owners of the hijacked computers.
Threat actors have used these hijacked computers for malicious activities such as distributed denial-of-service (DDoS) attacks. In a DDoS attack, the traffic from hijacked computers are directed towards a target, for instance, a website, overwhelming the target with traffic, rendering it inaccessible to legitimate users. A malicious actor, for example, sent a DDoS ransom note, taunting a target that their "Botnet army" is ready to take down the target's website and that the target has 48 hours to pay the ransom.
What Is Mozi Botnet?
Researchers at 360 Netlab first reported about the Mozi botnet. According to the researchers, they first observed Mozi in the wild in September 2019.
In the recent report released by researchers at IBM, the researchers said that Mozi accounted for nearly 90% of the observed IoT network traffic from October 2019 to June 2020. They added that the overall combined IoT attack instances from October 2019 to June 2020 increased by 400% compared to the combined IoT attack instances for the previous two years.
This massive traffic from Mozi, the researchers at IBM suggested, that this botnet didn’t remove competitors from the market, but rather flooded the market and dwarfing other botnets. The hijacking of IoT devices to form part of the Mozi botnet, the researchers said, could be due in part to the ever-expanding IoT landscape.
According to IBM researchers, there are nearly 31 billion IoT devices deployed around the world, with IoT deployment rate now stands at 127 devices per second. IoT devices include consumer IoT (security cameras and lighting control); commercial IoT (internet-connected pacemakers and vehicle trackers); enterprise IoT (projectors, routers and security systems); industrial IoT (production line automation systems and aircraft systems); infrastructure IoT (traffic control devices and utility monitoring devices), Internet of Military Things (wearable combat biometrics devices, robots and surveillance equipment).
Researchers from 360 Netlab and IBM reported that Mozi is capable of conducting these malicious activities: conduct DDoS attack (HTTP, TCP, UDP), carry out command execution attack, download malicious payload from specified URL and execute it, and gather bot information. Devices affected by Mozi include Netgear, D-Link and Huawei routers.
How Mozi Hijacks IoT Devices to Form Part of Its Botnet?
According to IBM researchers, nearly all of the initial entry to these Mozi-hijacked devices was done through command injection (CMDi) attacks.
“Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application,” Open Web Application Security Project (OWASP) defines CMDi. “Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code.”
Researchers at IBM said CMDi attacks are extremely popular against IoT devices for the following reasons:
First, IoT embedded systems commonly contain a web interface and a debugging interface left over from firmware development that can be exploited.
Second, PHP modules that are built into IoT web interfaces can be exploited, giving threat actors remote execution capability.
Third, IoT interfaces are often left vulnerable when deployed as administrators “fail to harden the interfaces by sanitizing expected remote input”. This failure, the researchers said, allows threat actors to input shell commands.
Fourth, new vulnerabilities require constant updating and slow patch implementation can be exploited.
Fifth, CMDi attacks can easily be automated, allowing threat actors to hijack a large number of IoT devices quickly at low cost.
Sixth, IBM researchers suggested that Mozi continues to be successful largely through the use of CMDi attacks as corporate networks are being accessed remotely more often due to COVID-19.
Israel-based cybersecurity firm JSOF earlier reported that vulnerabilities in Treck TCP/IP stack put hundreds of millions of IoT and embedded devices at risk. Developed 20 years ago, Treck TCP/IP stack is a piece of software that serves as a basic building block for IoT or embedded device that works over a network.
Out of the 19 security vulnerabilities discovered on Treck TCP/IP, 4 are rated critical remote code execution vulnerabilities. In remote code execution, a threat actor from any geographical location could run malicious programs on the target device.
Cybersecurity Best Practices
Here are some cybersecurity best practices in preventing your organization’s IoT devices from being hijacked and made part of a botnet: keep all firmware up to date and retire devices that no longer receive security updates.
Using outdated IoT devices or those that no longer receive security updates leave these devices vulnerable to hijacking and being made part of a botnet for malicious activities such as DDoS attacks.
On the flip side, with the proliferation of hijacked IoT devices, it’s important to protect your organization from DDoS attacks.
French Authorities and Avast Take Down One of the World’s Biggest Botnets
French authoritiesand antivirus solution provider Avast have jointly taken down the Retadupbotnet, considered as one of the world’s largest botnets affecting nearly a million computers worldwide.
Avast, in a blog post, announced that itscollaboration with French authorities resulted in the neutralization of the Retadup botnet, a group of computers infected with a malicious software (malware), in this case, a malware called “Retadup” and controlled by an attacker or attackers for malicious activities. As part of its threat intelligence research, Avast said it started closely monitoring the activity of the Retadup malware in March 2019.
Avast found that the computers infected with the Retadupmalware and that formed part of the Retadupbotnet were mostly abused to mine the cryptocurrency called “Monero”. In cryptocurrency mining, malicious actors earn cryptocurrency by stealing the computing power of someone else’s computer.
In few cases, Avast observed that Retadup was used in distributing the ransomware called “Stop”, a type of malware that’s purposely created to block legitimate users to a computer system or data until a ransom is paid. In other few cases, Avast also observed that Retadup was used in distributing Arkei, a malware that steals passwords.
Avast said its research showed that Retadup’s command-and-control (C&C) infrastructurewas mostly located in France and as such,it contacted theCybercrime Fighting Center (C3N) of theFrench National Gendarmerie.C&Cinfrastructurerefers to a server or servers used to communicate and remotely control computers compromised by a malware, in this case, the Retadupmalware.
As of late August, this year, Avastsaid that, in the collaboration with C3Nand with the permission from the office of the public prosecutor in France, Retadupmalware was taken down from 850,000compromised computers mostly located in Spanish-speaking countries in Latin America.
Retadup malware first appeared in mid-2017 stealing information in Israeli hospitals. According to Trend Micro, the organization that first reported about this malware in June 2017, this malware is notable for its propagation and stealth capabilities.
Trend Micro said the original Retadup malware infects computers via an executable file that masquerades as another file type, such as shortcut files for browser, Windows updaters and a web 3D creation tool. For example, it’s delivered on the vulnerable computer as WinddowsUpdater.zip, mimicking the legitimate updater file which is WinddowsUpdater.exe.
A computer becomes infected with Retadup malware when the file that masquerades as another file type is clicked. According to Trend Micro, it’s unclear how these executable files containing the Retadup malware arrive on the computers of the victims.
Once inside an infected computer, this malware then checks for specific antivirus and analytics tools. The malware self-destructs when it detects the presence of specific antivirus and analytics tools.
In stealing information, Trend Micro said the original Retadup malware routinely records every keystroke made by a computer user, takes screenshots and extracts passwords from web browsers. The Retadup malware is also a worm, which means that this malware has the ability to spread itself within networks without user interaction.
In September 2017,Trend Microdetected a new version of Retadup malware, this time, infecting specific industries and governments in South America and controlling these infected computers as a botnet, stealing the computing power of these infected computers to mine the cryptocurrency Monero. As of September 2017, Trend Micro said the malicious actor or actors behind Retadup botnet earned 314 Monero coins, worth US$36,000 as a result of the illicit cryptocurrency mining.
Since the discovery of the Retadup malware in June 2017, this malware has evolved into different versions. Most of these versions, however, retain the original features, such as the worm capability and stealth capabilities. According to Avast, the most recent version of Retadup malware, avoids cryptocurrency mining on the infected computers when taskmgr.exe is running in order to make it harder for users to detect increased CPU usage.
With the permission from the office of the public prosecutor in France and with the technical assistance of Avast, the Cybercrime Fighting Center of the French National Gendarmeriedismantled the command and control server of the Retadup malware and replaced it with a disinfection server. This disinfection server, Avast said, made it possible for the self-destruction of the Retadup malware on the infected computers forming the Retadup botnet.
To date, while the Retadup botnet is neutralized as a result of the collaboration of the office of the public prosecutor in France, Avast, and the Cybercrime Fighting Center of the French National Gendarmerie, the creator or creators of Retadup, however, remain at large as no arrest or arrests have been made as a result of the operation.
Threat Mitigation & Prevention
Botnets are a threat to the online community. As shown by the Retadup botnet, it can wreak havoc via cryptocurrency mining, ransomware and stealing information. Other botnets, like the Mirai botnet, had in the past brought down the internet in certain parts of the world via distributed denial-of-service (DDoS) attack.
Here are some cyber security measures in order to protect your organization’s computers or devices from being infected with malware and making them part of a botnet:
When you need help with threat mitigation, audits and prevention, connect with our cybersecurity experts.
Steve E. Driz, I.S.P., ITCP