Zerobot is a self-perpetuating botnet. Its primary function is to reproduce itself, moving through vulnerable hosts to transform them into zombie devices enslaved to its will. Each recruit propagates to a neighbouring host, blindly grasping for the next module it can infect. In time, its designers hope that the botnet spreads exponentially, expanding to overcome hundreds of thousands, perhaps even millions of devices.
This process may not always run smoothly: botnets can be depleted at any time as other criminals discover the same badly secured devices, whether they be internet routers, door cameras or smart fridges, and reset them to boot off any existing malware. “Some devices exchange owners two or three times a day,” says Bogdan Botezatu, director of threat research at BitDefender. But once a botnet has grown to a sufficient size, the gang controlling it can deploy Distributed Denial-of-Service (DDoS) attacks to extort companies into restoring their online presence, or else use the infected IoT modules to prize open access to the beating heart of an organisation so others can deploy ransomware on its most critical systems.
There are fleets of zombie devices written in Java and Golang wielded by cybercriminals across the globe. Worse, the malware they deploy is growing in sophistication, expanding the types of devices that ‘botmasters’ can bend to their will. Zerobot, for example, can now overcome firewall devices, routers and CCTV cameras, adding new capabilities regularly and expanding its device coverage and, therefore, its potential power. Regulations are being written that demand security is baked into IoT devices during their manufacture – but as for those that are already in the wild, it may already be too late.
Zerobot botnet and enterprise IoT
Zerobot is an exemplar in this regard. A powerful, evolving threat written in the Go programming language, a Windows research report recently stated that the botnet’s malware tests devices for up to seven known vulnerabilities in each device. Unlike some other IoT-focused malware, Zerobot is a DDoS-for-hire, or ‘booter’, where power over large botnets is sold and priced by the hour on several domains across the web. These sites, read a recent bulletin from the US Department of Justice, ‘were used to launch millions of actual or attempted DDoS attacks’. Despite an FBI-led crackdown in December, the botnet is still at large.
The actual cost of using a botnet can vary wildly, ranging from $5 for a simple test up to a full-blown DDoS attack priced at $6,500. The payoff derived from using these botnets to stand between demand for and the supply of popular services can more than justify the upfront cost. “Take the World Cup,” says Botezatu. “Everybody is placing bets online when, suddenly, a botnet strikes the agencies’ websites. Criminals say they will prevent any more bets being placed until they receive $100,000 in bitcoin.”
Botnets can also provide lucrative access to enterprise systems, much like an initial access broker (IAB) in a ransomware gang. “Cybercriminals know what kinds of hosts they have compromised, so they will sell access to the infected devices to criminals who want to take the attack even further,” explains Botezatu.
A notorious IoT botnet called Mirai provided the blueprints for most current IoT DDoS-for-hire. At its peak, the botnet had infected more than 600,000 vulnerable IoT devices. In September 2016, it was used to wipe out internet access for most of the US East Coast, compromising Dyn, an internet infrastructure headquartered in New Hampshire. By noon that day the company was hit by a second DDoS attack, and another wave four hours later, suffocating internet traffic across the region.
Standardisation failure
It’s a state of affairs that has the potential to get much, much worse. Most IoT devices have been designed to prioritise functionality over security, thanks to the absence of strict standards insulating them from malware. As such, vast swathes of the estimated 15.1 billion IoT connections embedded in homes, offices and warehouses are vulnerable to being hacked by criminal gangs. Such devices are also in danger of being taken over by nation-state actors – a threat that looms larger when one considers that an estimated 14.7 billion IoT devices will perform vital, sector-specific services across energy, transportation, retail and healthcare.
Somewhat belatedly, the UK, the EU and the US have all passed, or are about to pass, legislation mandating tougher cybersecurity standards for IoT networks. Even so, this does not prevent citizens from buying insecure products abroad, requiring the need for international standards. Singapore has proven a leader in this regard, striking a deal in October 2021 with Finland providing for mutual recognition of each others’ IoT security standards. The following year, Singapore embarked on a similar partnership with Germany, before signing a tripartite agreement with the UK and Canada on IoT security. ‘Our three governments are working together to promote and support the development of international standards and industry guidance,’ read the statement.
International agreements such as these will naturally take time to implement. Until this happens, therefore, consumers and businesses alike will be plagued by the dangers of insecure IoT devices. The best way for CISOs to ensure security in the meantime, explains Kaspersky threat researcher David Emm, is to “engage in active monitoring of their networks.” That might require the use of machine learning algorithms for larger enterprises.
“There are products that will allow companies to monitor their environment in this way,” adds Emm. “Such products and services make use of machine learning to ensure efficient analysis and detection of threats.”
They’ll certainly be busy. Part of the reason why botnets have grown so sophisticated in recent years, explains Botezatu, is because of the malign innovation of nation-states competing to undermine each other’s systems. The potency of malware propagated by the likes of Zerobot or Emotet, for example, has its roots in the current war in Ukraine, with code written by apex predator hackers headquartered in Moscow and Kyiv filtering down the food chain to the common-variety hackers embedded in criminal gangs. Companies should not be surprised, therefore, to find the malware infecting their camera systems and security gates had its origin in some desperate military operation deep in the Donbas.