Botnets Are Still Defying Traditional Security Measures
By Frank J. Ohlhorst
Botnets are still an evolving threat, evolving faster than many technologies can combat them. That situation has created a conundrum for numerous industries that are prone to botnet-derived attacks. Take for example the banking industry, which has to balance ease of customer service with data privacy and security. Interestingly, this is not a new phenomenon, financial institutions have had to deal with botnet-based attacks for years, however the ferocity and frequency of those attacks have rapidly increased.
Perhaps Dell SecureWorks explains it best in a report that offers some key findings:
- “New targets included cloud service providers, app stores, online tech stores, and organizations in the shipping, warehousing, e-commerce, and marketing industries.
- Attackers used banking trojans to target more than 1,500 financial institutions across more than 100 countries. Over 80 percent of the institutions were located in the United States, but institutions in the United Kingdom, Europe, and Australia were also popular targets.
- Small and mid-sized businesses have become popular targets for online banking fraud through credential theft and subsequent fraud via Automated Clearing House (ACH) transactions or wire transfers.
- Malware families expanded to new regions: the ISFB variant of Gozi targeted organizations in Eastern Europe, particularly Bulgaria; Shifu (a variant of Shiz) introduced campaigns targeting Japan; and Tinba added targets in Romania and Singapore.
- The number of attacks in Asia and the Middle East continued to increase.
- The Shifu, Reactorbot, and Corebot botnets became active, and there was increased activity from Gozi ISFB. However, Dyre mysteriously disappeared from the threat landscape.
- The Ramnit botnet reemerged in the fall of 2015 after some of its infrastructure was seized by law enforcement earlier in the year, and Bugat v5 (Dridex) immediately reemerged after a takeover operation in the fall of 2015. This resiliency challenges efforts by law enforcement and the security industry to permanently disable the botnets.
- The introduction of new variant of Neverquest in the fall of 2015 and the constant evolution of ISFB, both variants of Gozi (originally discovered by Dell SecureWorks CTU) reflect the determination of attackers targeting the financial vertical.
- Botnets continue to rely on hidden network services such as Tor and Invisible Internet Project (I2P), as well as domain generation algorithms (DGAs), to resist surveillance and takedowns.
- By using private spam mailers, botnet groups continue to deviate from the “spam as a service” model.”
While much of the above is academic in nature, some important trends have been illustrated. Trends such as botnets starting to rely on access paradigms to grow, and trends indicating the sophistication and evolution of botnet-derived attacks. That being said, it is becoming evident that traditional security technologies, such as firewalls, anti-malware, and intrusion prevention systems are fighting a losing battle against the scourge of Botnets. Simply put, organizations must turn to different security technologies to slow down the advancement of botnets.
The threats are becoming more sophisticated and are now leveraging trojans to steal bank credentials, as well as website cookies to impersonate victims, ultimately granting threat actors remote access to computers to exfiltrate stolen information. In other words, the success of botnets is all coming down to compromised credentials.
However, not all is lost; there are technologies that can stop botnets in their tracks, at least when it comes to the authentication piece of the puzzle. One of those technologies is MFA (Multi-Factor Authentication), where users are required to go through a multistep, insulated process to access systems. MFA becomes a logical progression in the battle against botnets, especially when one considers that today’s threat actors are focusing on weaker account security to forward their attacks.
Protecting systems, especially mobile devices from botnet-derived attacks, means incorporating an authenticator into an account that leverages MFA, which makes it much harder for an attacker to access an account. MFA requires users to have a login, a password, and a physical item such as a phone or a token. Having an authenticator has been proven to drastically increase account security.
For more information for incorporating MFA into your organization, please download AuthAnvil’s An Introduction to Two-Factor Authentication.