Older botnets are trending among cybercriminals. Here’s what you need to know, including how to defend against them.
By Willi Nelson, field CISO for OT, Fortinet
There’s a reason that threats from the digital world persist; cybercrime is among the most lucrative criminal enterprises on Earth. Malicious actors are now more systematic and increasingly evolving their strategies, even bringing back legacy techniques that had been shelved, due to their own Key Performance Indicators based on ROI. It’s similar to how movie producers are all for making a solid re-creation of a time-honored classic film if it will generate new revenue.
It’s hardly surprising that the “throwback” mindset is happening in this sector – particularly when it comes to botnets – given that OT is swiftly evolving into one of the preferred targets for attackers.
In the field of cybersecurity, botnets are nothing new. Since Khan K. Smith developed one in 2000 and used it to send 1.25 billion phishing emails over the EarthLink network, they have become part and parcel of the digital landscape. Even 23 years later, bad actors continue to use botnets to create destruction and disorder around the world for their own benefit.
When our FortiGuard Labs researchers looked at the top botnets of the second half of 2022 – in terms of prevalence and volume – we saw that many of them were old. In fact, of the top five, only one seemed to be from this decade. Two in particular – Mirai and Gh0st.Rat – continue to have significant impact. And according to IBM, Mozi is one of the most active Mirai-style variants.
It may be tempting to dismiss more traditional risks as obsolete, but OT organizations must continue to keep their guard up. For instance, when Mirai initially appeared in 2016, it caused chaos on the internet. Then, the botnet exploited a critical vulnerability called Spring4Shell early in 2022. That allowed unauthorized users to remotely execute commands.
Although a patch was rapidly distributed, the impact of Mirai continued to spread as already-vulnerable systems started to feel the effects. Mirai is now hitting OT, with attacks on the manufacturing vertical higher than any other sector.
If you examine actual operating systems, you find that many OT devices use Linux. These systems offer several options for attack, and they are beginning to build a payload. Hence, there is malware exists that extends beyond conventional Windows-based botnets.
Also, there are still many outdated platforms and systems in use. It’s crucial to keep these systems updated with patches, if they are available. But the truth is that occasionally patches are simply unavailable because the systems are too old or have reached the end of their lives.
Platforms such as Linux are under attack, and new OT sensors and other technology are also targets. For instance, the fact that OT is increasingly tied to IT systems powered by Microsoft Windows and other platforms poses a serious threat. This was the case in last year’s ransomware attacks. Bad actors were bypassing or moving lateral into OT environments by focusing on IT rather than OT environments directly.
The resurgence of older botnets, as well as the emergence of new ones and the manufacturing focus of Mirai attackers, presents significant challenges for cybersecurity professionals. But these challenges are not insurmountable; they just require the right methodology.
Being proactive is essential. The average cost of a data breach in enterprise environments is more than $4 million, but in operational environments, this cost could be substantially more due to manufacturing and supply chain issues. Making security investments in advance is often significantly less expensive.
A good first step would be to implement a “never trusting, always verifying” zero-trust security model. This is crucial, especially as even some OT personnel work remotely and as IT/ OT convergence continues. Deception technology is another step, intended to divert hackers’ attention from an enterprise’s real assets and toward a trap or a decoy.
A third step is adding threat intelligence and security services. Integrated with your security solutions, they provide coordinated, AI-powered defense against threats in real-time. This results in rapid detection and enforcement along the whole attack surface.
When looking at botnet trends by prevalence, four of the top five aren’t new. In fact, Mirai and Gh0st.Rat continue to prevail. And the manufacturing sector is a particular target for Mirai. The OT/IT convergence has increased the occurrence of attacks against OT in the past few years, including critical infrastructure such as chemical manufacturing. Use the guidelines above the ensure you’re proactively protecting your network and all the value it holds.
Willi Nelson joined Fortinet as the CISO for Operational Technology in August 2022. He brings more than 25 years of experience in information security working across industry verticals such as healthcare, telecom, financials, manufacturing, and life Sciences.
Most recently with GlaxoSmithKline (GSK), he established and directed the Global OT Infrastructure Security team charged with monitoring and protecting the OT assets for GSK. Globally, the team deployed 43 additional controls across the OT landscape assessed against NIST CSF and aligned business units to embrace a unified model for security, incident response, and risk reporting. During Willi’s tenure, he also oversaw the creation of the Security Organization and the Global Cyber Defense team for GSK’s Consumer Health startup (now called Haleon). Beyond building and leading the OT and Consumer Health security teams, he led the security team responsible for Cloud transformation for both IT and OT. Willi relies on a pragmatic and systematic approach to achieve company goals while also maturing the organizations and teams he leads.
Willi is a graduate of Rockhurst University in Kansas City, MO, USA and holds a CISSP (Certified Information Security Professional) certification in good standing. Willi lives in NW Arkansas with his family. He’s an avid outdoorsman, cyclist, woodworker, and veteran.
Patti Jo Rosenthal chats about her role as Manager of K-12 STEM Education Programs at ASME where she drives nationally scaled STEM education initiatives, building pathways that foster equitable access to engineering education assets and fosters curiosity vital to “thinking like an engineer.”