The Rise of Destructive Botnets

Over the past few years, we have watched the rise of ransomware as it successfully targeted a variety of vertical markets, especially healthcare, education, and financial services. And like almost all malware, it has also begun to evolve. For example, the WannaCry ransomware engine has recently been modified to support Cryptojacking attacks.

However, we have also been watching ransomware morph into something far more insidious.

A Brief History of Destructive Malware

The most recent RedEye ransomware not only encrypts your data, but it also destroys your Master Boot Record if you fail to pay within a designated period of time. But this isn’t the first time we have seen this behavior.

Then, in the summer of 2016, the Mirai shadownet was responsible for the largest DDoS attack in history. It was built using millions of vulnerable IoT devices, and then used to bring down a large chunk of the Internet. This began a new ransomware trend where, rather than having to break in and encrypt devices without being detected, which could take weeks to accomplish, automated botnets comprised of hijacked IoT devices started a new trend in DDoS-based ransom attacks. Swarms of independent yet centrally controlled devices with no designated user, and often with no OS to patch or update, were especially difficult to combat.

However, the security research community also saw that there was a potential for this new attack vector to transform into something far more insidious. At the time, we predicted that Mirai was not an end in itself, but was primarily launched to test the capabilities of swarms of compromised IoT-based devices. And we were right.

The Hajime ransomworm was the successor to Mirai. While the impact of Mirai was unprecedented, it was still basically a blunt force instrument. Hajime, on the other hand, while built on the same principles, also included an impressive set of sophisticated cybertools. It was cross-platform, supported five different platform, and included a toolkit filled with automated tasks, remotely updatable password lists, and the ability to download other malicious code, such as brickerbot.

Brickerbot was the first in a new generation of destructive malware, designed to disable the ability of IoT devices to connect to the internet. Its goal was to deliver a killing blow to a network rather than simply disrupting it for financial gain. Hajime was also able to identify CPE devices and protocols and then remove the rules that allow a CPE device to talk to its service provider. The potential risk to service providers was millions of devices all going dark simultaneously, with no heartbeat to see, control, or manage them.

These new attacks were especially impressive because most malware is actually pretty dumb. While it might have evasion techniques built into it, and be good at hiding in the noise of a device or the network, it is really only programmed with a specific set of objectives. A hacker designs it and points it at a target, and it either accomplishes its task or it doesn’t. Cybercriminals compensate for the binary nature of such malware in two ways; either through the time-intensive management of multiple tools to guide an attack to a specific target, or through volume. Send out enough malware, or have it replicate itself enough times, and it will eventually find itself loaded onto a device that it can exploit. It’s like the broken clock that is right at least two times a day.

Reaper changed that. While it was built using some of Mirai’s original code, it had also been armed with exploits covering nine different known vulnerabilities spanning a variety of IoT vendors. More concerning, it was also built using a Lua engine, an embedded programming language that enabled it to be remotely updated to enhance attack options on the fly, rather than launching an attack with all attacks pre-loaded into the malware.

The recent discovery of the VPNFilter malware moved the needle even further towards launching destructive and highly contagious malware with far-reaching consequences. VPNFilter includes a kill command that disables a device by deleting all file systems and then rebooting the device, rendering completely inoperable. Affected devices actually have to be replaced. Even worse, its self-destruct mode can be triggered across all infected devices simultaneously with a single command. And as of the writing of this article, over a million devices have already been compromised by this malware. Triggering this sort of self-destruct mechanism could potentially result in widespread Internet outage or networks collapsing over a wide region, resulting in untold financial losses for affected organizations.

What Do We Do?

Of course, this is still just the tip of the iceberg. The introduction of automation will mean that attacks like these will not only come at us faster, but they will also reduce the time between breach and impact. Basic machine learning functionality will also enable them to learn how to bypass security tools and avoid detection.

Defending against a swarm of compromised IoT devices that not only can learn and adapt, but that are also programmed to ultimately destroy the devices they infect is extremely difficult. Part of the reason is because most of these devices, especially those deployed in residences and small businesses, are connected directly to the Internet without any security in place. Because so many of these devices have little to no security, they pose a serious risk to the digital economy. And due to their pervasive deployment, marshaling them together to engage in massive attacks would almost certainly bring a considerable segment of the digital economy to a grinding halt, disrupting business, affecting services, and potentially even impacting critical infrastructure. There are already millions of these unsecured devices online just waiting for someone to hijack them, with billions more expected to come online in just the next few years.

Fortunately, there are things that you can do right now to prepare to defend your organization from this gathering threat.

1. The first is to include this evolving trend into your current risk/consequence analysis strategy. Your IT team needs to understand this risk and consider options, such as off-site storage of system backups, having redundant systems in place, and being able to lock down segments of the network when an attack is detected.
2. You will need to start by identifying all critical assets and services across your network and doubling down on your efforts to identify and patch vulnerable systems, replace older systems that are no longer supported, or enhancing compensating security tools. This probably means implementing some sort of asset tracking and management solution.
3. Next, you need to segment your networks so that IoT devices are automatically separated from your production network until they can be secured. This also requires device authentication needs to happen at IoT access points. Which means that your wireless access points need to handle far more simultaneous connections than they are currently designed to manage, and at the same time they need to be able to identify and authenticate devices, manage access, inspect traffic, and then route IoT traffic into secure network segments—all at wire speed. And even then, you need to be carefully monitoring traffic that passes between network segments looking for anomalous behaviors, malware, and sophisticated multi-vector attacks.
4. Keep in mind that deep inspection of unstructured data, like the raw data flowing from many IoT devices, consumes 50 to 100 times more processing power than conventional traffic. Which probably means that many of your existing legacy security devices are not up for the job.
5. Finally, real-time threat intelligence is critical for identifying and stopping an attack. You can no longer afford to hand correlate threat data to detect threats, or respond at anything less than machine speeds.

Bringing IT All Together

Threats are getting smarter, more destructive, and increasingly able to operate autonomously. We expect to soon see malware designed with adaptive, success-based learning to improve the success and efficacy of attacks. This new generation of malware will be situation-aware, meaning that it will understand the environment it is in and then make calculated decisions about what to do next. In many ways, it will begin to behave like a human attacker: performing reconnaissance, identifying targets, choosing methods of attack, intelligently evading detection, and then waiting to deliver a lethal punch.

This is not a matter of if, but when. Which is why it’s critical that every organization become aware of these emerging risks and begin to take appropriate countermeasures now. In the escalating cyberwar, enterprises need to be able to fight automation with automation. Which means you need to deploy integrated expert security systems that can automatically collect, correlate, share, and respond to threats in a coordinated fashion, anywhere across the distributed network ecosystem to isolate an attack, quarantine compromised network segments and devices, and quickly recover without compromising the integrity of your network or reputation. More than ever, an eyes wide open approach to security is a fundamental component of competing and surviving in today’s digital economy.

Check out the latest Fortinet Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.