Over the past several months, the FortiGuard Labs team has been tracking a number of evolving trends related to the FortiGuard 2018 Threat Landscape Predictions article published just before the beginning of the year. This mid-year update provides new details concerning recent advances in some of the techniques and malware tied to those predictions. In particular, the accelerated development of several precursors of Swarmbots and Hivenets are especially worth revisiting. Others include the increased targeting of critical infrastructure, the development of automation in malware exploits, and the use of blockchain technology to anonymize the command and control of botnets.
Of course, these trends aren’t happening in isolation. These threat trends are beginning to overlap at the same time that digital transformation is driving the convergence of traditionally isolated networks, including the growing integration of IT and OT networks within a single enterprise, along with the convergence of large systems to support massive, hyperconnected environments such as smart cities. For example, as developers actively add automation and new SCADA-focused exploits to their malware, they can be used to not only target traditional networks but OT networks as well, thereby enabling them to take out critical infrastructure. And to protect these attackers, we also see the emergence of blockchain-based command and control systems to protect the criminal organizations or nation-states that launch such attacks
Hivenets and Swarmbots
I have written several times about the next step in the evolution of botnets being a scalable architecture based on integrated and autonomous swarm intelligence. Swarm-based attacks can significantly decrease the time needed to breach a system by leveraging things like stigmergy, which is a consensus-based social network mechanism of indirect coordination between agents. Swarm-based insect colonies such as ants and bees use this process to manage the collection and distribution of resources and workloads. Likewise, artificial swarms can quickly share collected intelligence, accelerate trial and error, and then apply specific attacks to a vulnerability by leveraging those specialized members of the swarm armed with specific exploits. Not only will this emerging development accelerate the time required to breach a system, but the sheer volume that can be applied by a swarm-based botnet targeting multiple devices and exploits simultaneously can quickly overwhelm traditional defense systems.
The Hide ‘N Seek IoT botnet, first detected this past spring, has moved the bar significantly closer to enabling a botnet to function as a swarm. It communicates in a complex and decentralized manner using custom-built peer-to-peer communication to implement a variety of malicious routines. It also leverages multiple anti-tampering techniques to prevent a third party from hijacking or poisoning it, and it is also the first IoT botnet malware strain that can survive device reboots and still remain on compromised devices.
Hide ‘N Seek also supports bidirectional commands, enabling a single node within a larger botnet to request and receive a response, thereby enabling it to execute a variety of exploits against a growing number of devices simultaneously rather than delivering a single, pre-programmed payload, such as was used by Mirai. This development is especially critical for achieving the sort of communication-feedback mechanisms required for a swarm to operate autonomously.
It is also the first in-the-wild malware to actively target home automation systems. FortiGuard Labs has been monitoring this botnet malware carefully since researchers first discovered it at the start of the year. And while it initially targeted routers, IP cameras, and DVRs, its latest iteration now also targets cross-platform database solutions and smart home devices.
Given that the number of connected IoT devices is predicted to reach 20.4 billion by 2020, and that end users are deploying a growing segment of these devices for home and business automation, it is easy to predict that this area will continue to be a high-priority focus for cybercriminal and nation-state actors for a long time to come.
Targeting Critical Infrastructure
As we have seen with Hide ‘N Seek, cybercriminals are maximizing the impact of botnets by loading them with multiple malicious attacks. WICKED, another Mirai-based botnet variant, recently added at least three new exploits to its toolkit, enabling it to target unpatched IoT devices better. And VPNFilter, the advanced nation-state-sponsored attack, is also able to target SCADA/ICS environments. VPNFilter represents a significant new threat because it not only performs data exfiltration but can also render devices, including industrial control systems, completely inoperable. It can shut off compromised devices individually, or shut them all off simultaneously using a centralized trigger.
VPNFilter was first documented and shared with the Cyber Treat Alliance (CTA) this past May, an organization co-founded by Fortinet and made up of leading security research teams, and is part of another line of IoT-targeted threats that we have been tracking over the past few years. In addition to targeting a growing number of IoT-based devices, compromising hundreds of thousands of routers and switches, it also targets SCADA/ICS environments by monitoring MODBUS SCADA protocols and then exfiltrating website credentials that can then be used to infiltrate critical infrastructure environments. Modbus is an open serial communications protocol developed for use with Programmable Logic Controller (PLC) devices in OT environments, and OT operators widely use it for connecting different types of industrial electronic devices across a variety of networks.
Like Hide ‘N Seek, VPNFilter can also perform a wide variety of compromises, including data exfiltration, command execution, file collection, and device management, and as mentioned previously, it can also render infected devices inoperable, enabling it to take a network or network segment offline with a single command.
Enhancing the Dark Web Economy through Automation
Adding automation to malware is critical if cybercriminals want to be able to outperform today's network security tools. Criminal developers are also adding automation to the advanced services they are offering on dark web marketplaces. And it is also a critical step along the path towards implementing machine learning, and eventually, AI to cyber attacks.
AutoSploit is a mass exploiter that automates the exploitation of remote hosts. It collects specific targets through advanced online search engines such as Shodan or Zoomeye that are designed to locate specific connected devices and includes the option to customize targets and host lists. The program allows a criminal to enter a platform-specific search query and it then generates a list of candidates. Once a hacker has selected the devices to attack, AutoSploit then leverages the Metasploit library of penetration tools to automatically match the targets with all related exploits. It then systematically fires those exploits at those devices until one of them breaks through. A successful breach is then reported back using a proxy and custom user agent to prevent tracing the traffic back to the operator.
Because it is open source, even individuals with limited technical skills can now run their cybercriminal enterprises by targeting and launching attacks through a nearly entirely automated system, exponentially increasing the opportunity to steal data or deliver ransomware successfully. The increased use of automation will continue to have a powerful impact on the ROI of current or future cybercriminal enterprises and will help drive a continuing and growing interest in its potential earning power. ROI is also a key driver of the ongoing development of swarm technology, helping to optimize business functions for cybercriminals through such things as agile development, distributed resources, decentralized C2, and autonomous adaptability through a combination of machine learning and specialized swarmbots functioning as a part of an integrated swarm community.
Because cybercriminal groups function as a business, they make decisions about their use of, and investment in resources the same way any legitimate enterprise does. The decision either buy, build, or reuse an existing exploit depends upon a financial model that assesses their current assets—such as human skillset and tools (such as pre-written exploits and available infrastructure), along with their cash flow—and then makes decisions based on risk versus ROI.
If, for example, they don’t have any new zero-day exploits available for a planned spearphishing attack, they may research and develop a new one. But it might be more cost-effective to simply buy one on the darknet. Given the growing complexity of both the networks cybercriminals are targeting and the malware required to compromise them, it is difficult for one criminal enterprise to excel at all parts of the attack chain. This is why cybercriminals today tend to specialize in specific areas, such as writing their own tools or managing data (which they can also resell), and then combining it either with what is already available on the open source market or buying or commissioning what’s not.
Creating Swarm Networks
Tools like AutoSploit are another critical building block in enabling people to build the new generation of swarm networks. By inserting this automated functionality into a botnet of compromised devices, attacks will be able to function as part of a cooperative, integrated system. Automation is a tremendous cost-reduction tool for an attacker because it removes the overhead associated with using a human monitor who has to decide every step in an attack. Automating swarm networks is a significant step forward because using people to control large networks is extraordinarily inefficient in terms of response times, especially when the attack surface is a heterogeneous mix of different OS and device types that require separate mechanisms for launching an exploit, delivering a payload, exfiltrating data, and reacting to detection.
Using Blockchain for command and control
As organizations like the FBI and Interpol work harder to track and arrest cyber attackers, criminals are being forced to look for new ways to avoid detection, attribution, and capture. Bitcoin taught us it was possible to build systems that are deployed between multiple entities to conduct transactions without compromising the privacy of individual participants. This ability makes Blockchain a desirable candidate for creating anonymous C2 systems. Until recently, however, this was just a theory. But now, security researcher Omer Zohar has successfully used blockchain technology to create a takedown-resistant, command-and-control infrastructure for botnets built on top of the Ethereum network.
The biggest challenge of any botnet is maintaining communication with its controller. C2 communications are the weakest link in any botnet environment, exposing a bot herder to detection and takedown. An interesting development, therefore, is the integration of several elements into a single solution: 1) using automation to build swarms, 2) leveraging swarm intelligence for resource utilization, and 3) using Blockchain for a secure last point of contact/communication with an autonomous swarm to replace more vulnerable C2 solutions such as Fast Flux networks (a technique used by botnets to hide malware delivery sites) or P2P communications.
While most people only consider Blockchain in terms of digital currencies, they can also be used to ensure a wide range of functionalities. For example, secure blockchain communications are immune to data modifications, eavesdropping, MITM attacks, and replay attacks. They also ensure high availability, as the node is always able to find the C2 server. It is also highly scalable; it can support any number of implants and any load of transactions and is only limited by the overhead required to run the blockchain. Because only valid implants can connect, it can also prevent things like replays and honeypotting. One of the most critical advantages of blockchain technology is anonymity. Since it hinders law enforcement from gathering information on network operators, it represents a dangerous new challenge. And because there is no single point of failure, and the lack of a logic path prevents an adversarial takeover of the network, it is also takedown resistant.