All About the Bots: What Botnet Trends Portend for Security Pros

Protecting your organization against botnet threats requires a holistic, integrated approach to security

Botnets have become a fixture in the threat landscape, but they aren’t primarily focused on DDoS attacks anymore. Nowadays, they’re in a state of evolution as they learn and use newer, more evolved cybercriminal attack techniques. They have become multi-purpose attack vehicles using an assortment of more sophisticated attack techniques, including ransomware.

For example, threat actors – including operators of botnets like Mirai – integrated exploits for the Log4j vulnerability into their attack kits. Let’s take a look at what we’re seeing and what these trends mean for security professionals and their respective organizations.

The background on bots

Botnets give a view of post-compromise activity, in contrast to the pre-compromise side of cyber threats that IPS (intrusion prevention system) and malware trends usually show. Once infected, systems often attempt to communicate with remote hosts, making this traffic an important part of monitoring the full scope of malicious activity. In ATT&CK parlance, botnet traffic is most indicative of Command and Control (C2) TTPs.

We’ve seen that the most prevalent botnets across our sensors tend to stay the same over time, mainly because persistent control is a prized commodity among cybercriminals and a great deal of work goes into preserving their investment in malicious infrastructure. That’s why the most successful botnets are impressive in their consistency over time. In the second half of 2021, we saw that the biggest names in botnets – Mirai, ZeroAccess and Pushdo – continued to reign supreme.

The new bots on the block

That said, there was still plenty of screen time for many new upstarts in the world of bots.

Outside of the aforementioned big three, we saw an increase in July and August in detections of Warzone RAT, which could also be called “BargainZone RAT” due to its reputation as a low-cost, high-functionality malware-as-a-service tool. Blackberry’s description of the RAT as “the choice for aspiring miscreants on a budget” is aptly put. In an era of commoditization in cybercrime markets, Warzone has established a successful business model.

It’s also worthy of note that in September and October, we saw an uptick in RedLine Stealer malware, especially in the Middle East and Europe. Technically, this isn’t a newcomer; it’s been around since at least early 2020, with cybercriminals using it to nab credentials from infected systems. Furthermore, that uptick isn’t likely to be an isolated incident, as RedLine’s developers regularly morph the malware to find new victims. In fact, FortiGuard Labs recently discovered a new variant in the form of a COVID-themed file, “Omicron Stats.exe.” It won’t be the last.

Even when security professionals and law enforcement manage to take down a threat, their success is sometimes short-lived. The coordinated takedown of Emotet in April 2021 was a huge deal for the cybersecurity world – only for it to return in November. That said, its comeback was weak. Emotet activity is well below what it once was and not nearly as rampant globally. For example, two-thirds of detections were limited to the region of Latin America, where activity was 25x higher than in Europe and North America.

Combatting the scourge of bots

So, what’s the takeaway in all of this? The major point is that botnets are growing in sophistication – and they are leveraging all manner of attack techniques. Protecting your organization against botnet threats requires a holistic, integrated approach to security. Point products need to be replaced with security devices designed to operate as a unified solution to consistently protect every user, device and application. This approach also enables centralized management to ensure that policies are enforced consistently, configurations and updates are delivered promptly, and suspicious events are centrally collected and correlated.

It’s also vital to harden your Linux systems and OT environments, including adding tools designed to protect, detect and respond to threats in real time. Similarly, take a security-first approach when adopting new technologies, whether upgrading Windows systems or adding satellite-based connectivity, to ensure protections are in place before adding them to your network. In addition, deploy behavioral analytics to discover and block attacks during initial reconnaissance and probing efforts to prevent problems that can arise when they are only found later in the attack chain.

In addition, you should deploy AI and machine learning capabilities across the network to baseline normal behavior, correlate threat data, respond instantly to changes, and detect and disable sophisticated threats before they can execute their payloads. Consider deception technologies to turn traditionally passive security into active defense systems.

If you wait, you’re too late

We’re likely to see record-level volume and viciousness of cyberattacks this year. Integration of network and security tools into an integrated, proactive cybersecurity mesh architecture is vital as you protect your organization today from the next generation of threats. Broad deployment, deep integration and dynamic automation should be the hallmarks of any security system used to protect networks. If you wait until some indeterminate time in the future to make these necessary changes, you may find that you’re too late.