Routers and IoT Devices for
Botnet Operations

SOCFortress
4 min readSep 30, 2024

--

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

The Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA) assess that cyber actors have compromised thousands of Internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices with the goal of creating a network of compromised nodes (a “botnet”) positioned for malicious activity.

The actors may then use the botnet as a proxy to conceal their identities while deploying distributed denial of service (DDoS) attacks or compromising targeted U.S. networks. The botnet has regularly maintained between tens to hundreds of thousands of compromised devices. As of June 2024, the botnet consisted of over 260,000 devices.

Victim devices part of the botnet have been observed in North America, South America, Europe, Africa, Southeast Asia and Australia.

Botnet Command and Control

As with similar botnets, this botnet infrastructure is comprised of a network of devices, known as “bots”, which are infected with a type of malware that provides threat actors with unauthorised remote access.

The botnet uses the Mirai family of malware, designed to hijack IoT devices such as webcams, DVRs, IP cameras, and routers running Linux-based operating systems. The Mirai source code was posted publicly on the Internet in 2016, resulting in other hackers creating their own botnets based on the malware.

Post-compromise, the victim device executes a Mirai-based malware payload from a remote server. Once executed, the payload starts processes on the device to establish a connection with a command-and-control (C2) server using Transport Layer Security (TLS) on port 443. The processes gather system information from the infected device, including but not limited to:

  • the operating system version
  • processor,
  • memory and
  • bandwidth details

and sends this info to the C2 server for enumeration purposes.

The malware also makes requests to “c.speedtest.net,” likely to gather additional Internet connection details.

A variety of subdomains of “w8510[.]com” were linked to the botnet’s C2 servers. As of September 2024, investigators identified over 80 subdomains associated with w8510.com

Virus Total Graph

A tier of upstream management servers using TCP port 34125 manage the botnet’s C2 servers. These management servers host a MySQL database which stored information used for the control of the botnet. The management servers hosted an application known as “Sparrow” which allows users to interact with the botnet. The code for the Sparrow application, stored within a Git repository, defines functions that allow registered users to manage and control the botnet and C2 servers, sending tasks to victim devices including DDoS and exploitation commands to grow the botnet.

Sparrow also contains functionality providing device vulnerability information to users. A subcomponent called “vulnerability arsenal” also allows users to exploit traditional computer networks through the victim devices in the botnet.

As of June 2024, this database contained over 1.2 million records of compromised devices.

Recommended Mitigations

  • Disable unused services and ports such as automatic configuration, remote access or file sharing protocols: Routers and IoT devices may provide features such as Universal Plug and Play (UPnP), remote management options and file sharing services, which threat actors may abuse to gain initial access or to spread malware to other networked devices. Disable these features if not needed.
  • Implement network segmentation to ensure IoT devices within a larger network pose known, limited, and tolerable risks. Use the principle of least privilege to provide devices with just enough connectivity needed to perform their intended function.
  • Monitor for high network traffic volume. Since DDoS attacks originating from botnets may at first appear similar to normal traffic, it is critical for organisations to define, monitor and prepare for abnormal traffic volumes. Monitoring is possible via firewalls or intrusion detection systems. Some network solutions such as proxies may mitigate DDoS incidents.
  • Apply patches and updates, including software and firmware updates. Regular patching mitigates many high-risk security vulnerabilities. If available, take advantage of automatic update channels from trusted network locations. Do not trust email messages claiming to provide software updates as attachments or via links to untrusted websites.
  • Replace default passwords with strong passwords. Many IoT products implement a device administration password in addition to other account passwords. Ensure all passwords are changed from their defaults, using a strong password policy. If possible, disable password hints.
  • Plan for device reboots. Rebooting a device terminates all running processes, which may remove specific types of malware, such as “fileless” malware that runs in the host’s memory. As a reboot may disrupt legitimate activity, users may need to prepare for service interruptions. Some devices provide scheduled reboot features, enabling reboots to occur at preferred times. If a compromised
    device fails to respond to reboot commands issued remotely, reboot physically.
  • Replace end-of-life equipment with devices that remain in respective vendor support plans.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet