Newsmaker Interview: Troy Mursch on Top Botnet Trends

MikroTik, Hadoop clusters, legislation and more will mark the botnet space in 2019.

Botnet activity saw a healthy amount of dynamism in 2018. There were new types of devices being targeted, such as carrier-grade MikroTik hardware; and, there was also a host of new types of criminal activity surfacing making the point that botnets aren’t just for DDoS anymore. New types of configurations surfaced too (self-organizing botnet swarms, anyone?), and increased law enforcement interest – all of which resulted in plenty of headlines in the space.

By all accounts, these networks of zombie devices will persist as a scourge going into the new year, so Threatpost decided to sit down with Troy Mursch, security researcher at Bad Packets Report, to discuss what the biggest botnet-related stories of 2018 were, and what to expect for 2019.

Threatpost: In your mind, what were the top headlines this year on the botnet front?

Mursch: First off, there were legal actions worth noting. We saw the sentencing and indictment of two well-known botnet operators. Mirai co-author Paras Jha was ordered to pay $8.6 million in fines, and the Satori author, Kenneth Currin Schuchman, was arrested back in September.

Satori was a very large botnet detected towards the end of 2017 that rapidly spread due the use of a then-zero-day exploit targeting Huawei devices.

Also in 2018, we saw Mirai-like variants and other types of botnets used for DDoS attacks, cryptojacking and even sending email spam. The latter is actually notable in a recent case dubbed “BCMUPnP_Hunter,” which was well documented by Netlab 360.

This botnet has been observed scanning for exposed Universal Plug and Play (UPnP) interfaces of routers with Broadcom chipsets (5431/TCP). Traffic from botnet has a very distinct packet signature [it’s a self-built proxy network] and because of this, it’s relatively easy to monitor for.

We’ve seen this botnet used to send sextortion emails, which have actually been very profitable for hackers, with over $500 million in Bitcoin already received for all campaigns combined.

TP: Botnets being harnessed for cryptojacking got a lot of publicity after MikroTik routers proved to be a target of choice. Has the MikroTik activity evolved recently or is cryptojacking still the main threat from that botnet?

Mursch: This has been a topic I’ve discussed quite frequently in the last few months. We’ve found over a half-million compromised MikroTik routers, and the latest reports don’t really show any slow-down in infections.

These MikroTik routers are being compromised by a highly critical vulnerability in the Winbox interface (8291/TCP) that allows miscreants to modify the proxy settings of these routers to inject cryptojacking malware into the web traffic of all users behind the router. While this may not be regarded as an urgent threat, it remains a highly visible indicator of compromise.

With that being said, we’re already seeing cases where compromised MikroTik routers are being used for proxy services of other botnets. A report was recently published by Wordfence detailing a botnet consisting of 20,000 WordPress sites, and in that case, the four command-and-control servers routed all their traffic through MikroTik routers via a “proxy-for-hire” service out of Russia.

MikroTik users need to ensure they’re running the latest version of RouterOS, which is patched against this vulnerability. I urge anyone using version 6.42 or older to apply the update ASAP.

TP: Hadoop YARN interfaces saw a bit of targeting this year, with an eye to infiltrating enterprise machines. What’s the significance of this targeting of enterprise attack surfaces?

Mursch: Our honeypots have seen a high volume of incoming traffic testing for remote execution on Hadoop YARN ResourceManager endpoints. YARN, which stands for Yet Another Resource Negotiator, is a core component of the Apache Hadoop data processing framework and is often found in large enterprise networks or cloud computing environments.

To note, this is not a vulnerability in the YARN API, but rather a service (endpoint) that should NOT be exposed to the internet. This is a scenario we see time and time again. It’s very easy for anyone to find improperly exposed devices on search engines such as Censys or Shodan.

Other researchers who have dubbed this botnet “DemonBot” have found the compromised hosts are used for DDoS attacks, which is interesting because in this particular case the Hadoop servers (clusters) have lots of computing power that could be used to mine cryptocurrency instead. However, the price for virtual currency has dropped so low it’s probably not enticing given the current market value.

TP: When we think about botnets, we usually think of Mirai-like activity, with IoT devices being enslaved to carry out DDoS. Or, large-scale spamming. But what are some of the other activities that we’ve seen large botnets carrying out?

Mursch: There was a recent campaign, largely in Brazil, where miscreants would compromise routers and change DNS settings. In turn, any time a user went to visit a website, such as their bank, the traffic would be maliciously redirected (via DNS) to a phishing site instead.

This type of attack is transparent to the user as everything appears to be working correctly from their perspective — that is until their credentials are stolen.

Unlike the MikroTik case, this is a pretty diverse botnet in terms of the types of devices affected with over 70 different types of routers impacted and a total of 100,000 devices impacted.

TP: What new trends are you seeing impacting the botnet landscape?

Mursch: There’s a recent development where a new protocol called Constrained Application Protocol (CoAP) is being abused to conduct large scale DDoS attacks. This is a UDP-based protocol that’s prone to IP address spoofing (forged source IP addresses) and packet amplification.

An attacker can send a small UDP packet to a CoAP client (which is usually an IoT device), and the client would respond with a much larger packet. For CoAP, can result in amplification factor of up to 50 times.

The latest results on Shodan show at least 330,000 devices could be used abused in this manner to conduct DDoS attacks. The largest attack so far has clocked in at 320 Gbps.

TP: So let’s look forward to 2019. What are some trends to watch for in the new year?

Mursch: General overall trends we’ll see in 2019 is botnets will continue to target IoT devices as new devices are constantly being connected and exposed to the internet. Due to this, Mirai-like variants will remain active and we’ll continue to high volumes of traffic from these botnets.

Miscreants will also continue to target carrier-grade devices (MikroTik) and enterprise infrastructure (Hadoop clusters).

I also predict that in 2019 and coming years we’ll see new legislation put forward (similar to the GDPR and California’s IoT bill), with a focus on cybersecurity policies and regulating data-handling processes, which will change this landscape. For 2019 we may see more of that because we’re not seeing the appropriate response from enterprises to protect their environments.

That said, I believe in core principles of the GDPR, but there have been no significant fines laid out yet. We see in the cases of Facebook or Equifax, that there’s no real incentive or punishment that spurs companies to take appropriate action.

TP: What else can be done on the preventative side?

Mursch: It’s really the same old story – something is not patched or something is exposed to the internet when it shouldn’t be. The major core component of the problem is that servers and devices may not be able to be updated – and if they’re plugged into the internet they will be found. Once it’s out there, you should assume someone has already found it.

There’s no magical fix all for this stuff.

We all need to take more of a proactive response – enterprises need to have well-defined security policies and take a proactive management approach instead of freewheeling it. Until then, expect to see Troy Hunt regularly tweeting out that he’s added another 100 million passwords or whatever it is that week to Have I Been Pwnd.

Suggested articles