New botnet attack "puts other IoT botnets to shame"

Bitdefender warns against this dangerous new IoT "dark_nexus" attack that is innovative and cheap for attackers to acquire.

Top 5 remote access threats
1:53

A destructive new botnet that compromises vulnerable Internet of Things (IoT) devices and hijacks their resources to carry out devastating Distributed Denial of Service (DDoS) attacks is being reported by security research firm Bitdefender. The IoT botnet, which the company named "dark_nexus," has recently been found in the wild and is taking innovative and dangerous new approaches to successfully attacking IT infrastructure.


SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)

"Our analysis has determined that, although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original," Bitdefender said in a 22-page white paper released April 8 about the attacks, "New dark_nexus IoT Botnet Puts Others to Shame." While some of its features may be shared with previously known IoT botnets, the way some of its modules have been developed makes dark_nexus significantly more potent and robust, the report said.

"For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim's configuration," while also using a technique meant to ensure "supremacy" on the compromised device, according to the report. "Uniquely, dark_nexus uses a scoring system based on weights and thresholds to assess which processes might pose a risk. This involves maintaining a list of whitelisted processes and their perimeter intrusion detection systems (PIDs), and killing every other process that crosses a threshold of suspicion."

The dark_nexus botnet, which comprises at least 1,352 bots, apparently was developed by a known botnet author who has been selling DDoS services and botnet code for years online to other attackers for profit.

Bogdan Botezatu, director of threat research and reporting for Bitdefender, said that DDoS attacks launched by this botnet can allow attackers to control hijacked devices by asking all the compromised devices in the botnet to simultaneously visit a web page or web service, which can crush that server under the workload.

"The victims won't even be aware that their devices are used as weapons against innocuous targets on the internet, even if the results might be catastrophic for victims or for the proper functioning of the internet," Botezatu said. "Case in point, in 2016, a group of teenagers used hijacked IoT devices to launch a devastating attack against core internet infrastructure that disrupted the internet in the U.S. for roughly a day, knocking Fortune 500 companies offline and causing financial loss that's impossible to estimate."

The DDoS attacks can be launched against servers, services, or networks to inundate them with traffic, taking down their typical operations.

The dark_nexus botnet is being promoted for sale on YouTube, with advertised prices as low as about $18.50 per month for 2,500 seconds of boot time, he said. For about $99 a month, attackers can buy unlimited access, making the botnet accessible to anyone with $20 and fairly basic computer skills to launch their own disruptions.


"IoT botmasters get in direct competition with one another, and they drive innovation in compromising devices, maintaining persistence and staying competitive on the market," said Botezatu. "They come up with better infection mechanisms than competitors, better marketing techniques, and lower rental prices, which makes DDoS affordable for everyone."

To fight attacks from the dark_nexus botnet, consumers and companies must constantly audit their internal networks to identify connected IoT devices and run vulnerability assessments to discover unpatched or misconfigured devices before attackers do, Botezatu said. "Since IoT standards and regulations are likely years away, it's the IoT consumer that bears the responsibility for their infrastructure."

That global lack of needed IoT security standards, which would harden IoT devices and make them less vulnerable to attacks, is a huge failing in the industry and enables these kinds of botnet attacks to be successful and lucrative for hackers.

SEE: Securing IoT in your organization: 10 best practices (free PDF) (TechRepublic)

In the meantime, such attacks can be stopped through the use of IoT security appliances that can target and defend such attacks at the network level by detecting anomalous traffic, and through the use of continually patched devices that effectively immunize systems from successful intrusions, he said. Users can also protect their systems by disabling Telnet and SSH ports by default.

"Unfortunately, because most IoT vendors see cybersecurity as an afterthought, IoT botnets continue to thrive, grow, and impact organizations, creating significant loss of operation and downtime," he said.

Earlier versions of the approximately 3-month-old dark_nexus used exploits for propagation, but now the botnet solely propagates by brute force using the Telnet protocol, Botezatu said. "This is low-hanging fruit as it delivers the greatest number of breaches with the lowest cost and effort," he said.


SEE: Brute force and dictionary attacks: A cheat sheet (free PDF) (TechRepublic)

More than 50 percent of these bots are originating in China, Korea, and Thailand, Botezatu said. "This list includes some uncommon combinations that we had not previously seen in use by bots, which, in our opinion, suggests that the author of dark_nexus put some effort into compiling it. The botnet does not appear to target any IP ranges in particular, rather, the random generation function operates using a blacklist similar to that of Mirai."

Also see

malware in a computer system

Image: kaptnali, Getty Images/iStockphoto