First level attackers may not be humans
- sandeep karnik
- Dec 7, 2024
- 3 min read
Ever wondered - "Why would someone target me for a cyber attack?" Well, they may not be after you per se, but your computer; and to make it a slave to be added to a botnet, then use it for launching further attacks, or sell its remote access for subscription on dark web. Botnets are hundreds of slave computers remotely controlled by a threat-actor who can use it at their will for nefarious activities. (Are you thinking of zombies?)
Recently FBI disamantled world's largest botnet - 911 S5. It was spanning across 200 countries and linked to over 600,000 IPs. Yes, these things are real. (Reference : https://www.cobalt.io/blog/fbi-dismantles-worlds-largest-botnet)
Bots are the little programs. Malicious bots scan the entire internet for all IPs indiscriminately (yours could be one of those!) and see if they find any open ports and vulnerabilities. Once they do, they try to see if they can exploit those, and then report to their human masters! violla! These bots can scan thousands of IPs and Websites in the matter of minutes.
Does all this sound straight out of some sci-fi movie? Here are examples -
In December 2023, Jason’s Deli experienced a credential stuffing attack where bots used stolen credentials to access customer accounts, leading to unauthorized access to personal data.
Role of Bots: Automated bots were employed to test a large number of stolen username and password combinations across Jason’s Deli’s online platform. This automated process aimed to identify accounts where users had reused credentials from other breaches, allowing attackers to gain unauthorized access.
In 2021, LinkedIn faced a significant data scraping incident where bots extracted data from over 700 million user profiles, which was later found for sale on hacker forums.
Role of Bots: Automated bots were used to scrape publicly available data from LinkedIn profiles. These bots systematically extracted information such as names, email addresses, phone numbers, and workplace details from user profiles.
Reference : https://www.bbc.com/news/business-57841239
In 2016, the Mirai botnet orchestrated a massive DDoS attack on DynDNS, disrupting major websites like Twitter, Netflix, and Reddit by overwhelming them with traffic.
Role of Bots: Compromised IoT devices in the Mirai botnet sent excessive traffic to overwhelm Dyn’s servers, disrupting major websites.
When it comes to enslaving a computer, this happens in 3 stages -
Discover host and Find vulnerabilities
Exploit and pwn the host
Enslave - add to botnet
Behind all this would be a command and control center (commonly refered as C2) in the botnet parlance that centrally and remotely controls all slave hosts. The organization managing the C2 server can use the botnet to do the attacks themselves or rent the botnet or part of it to a bidder. Imagine your machine being used and rented without you knowing it!
An interesting reference is BlackEnergy - the malware agent that would do the exact above step. Check out https://en.wikipedia.org/wiki/BlackEnergy
This piece of malware would also be dropped by other malware - e.g. the ransomware called NotPetya (https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/) that created a havoc in 2016-18 timeframe, would drop BlackEnergy too on the infected machine.
How to safeguard -
Keep your machine updated at all times and do not download anything unsolicitated - something you didn't ask for and you do not recognize.
Of course, there would always be zero-day attacks (like in case of NonPetya) and then even keeping the OS updated wouldn't help. But that calls for other security measures such as zero trust, principals of least privileges etc. Security is never a silver bullet and has to be done with "Layers of Defense" or Defense in Depth.
Contact us to know more and see how PalaviTech can help you secure your business!
Comments