In 2021, security researchers discovered what is now known as the largest botnet over the past six years. Referred to as “Pink,” this botnet reportedly infected more than 1.6 million different devices. Its main purpose was to use the infected devices in Distributed Denial of Service (DDoS) campaigns. It also had the secondary goal of inserting ads into insecure HTTP websites.
Botnets are becoming a worsening problem, especially during the pandemic, with businesses and people going online en masse. Because of abrupt online migration, many do not have the opportunity to plan their actions, especially with respect to cybersecurity. Botnets like Pink are not to be underestimated, as they have the potential to create serious concerns.
These issues are not without a solution, though. They can be addressed effectively with the right tools and defensive measures. One of the best solutions available now is breach and attack simulation (BAS). It is a useful tool in mitigating cases of possible assault, as it mimics potential instances of attacks, so organizations can plug security gaps and improve defenses as needed.
BAS as an effective solution
So what is breach and attack simulation, and what makes it an effective cyber threat solution? Simply put, breach and attack simulation is the mimicry of actual cyberattacks or security breaches not only to determine if security controls are working the way they should, but also to find weaknesses in them. There could be a semblance of normalcy in the way security controls are working, but there may be small but potentially disastrous vulnerabilities not detected and addressed.
BAS thoroughly examines security hardware, software, and policies to ensure that there are no security weaknesses that can be exploited by threat actors. The threat landscape constantly changes. An identified and preventable attack at one point may already evolve into something more complex later, and existing controls may no longer be effective at detecting and blocking it. Similarly, anti-malware software tools may be doing a good job blocking attacks at one moment but become ineffective after a day or even a few hours.
Breach and attack simulation explores various scenarios with an adversarial perspective. It strives to uncover vulnerabilities comprehensively, instead of relying heavily on internal cyber threat intelligence and the threat data supplied by vendors to identify and stop potential attacks. In other words, it goes beyond template threat identification by analyzing security controls in light of the different attack methods cybercriminals would possibly undertake. It digs deep into an organization’s security posture to find issues instead of simply matching threat data with suspected malware files or actions.
Together with the MITRE ATT&CK framework, BAS helps significantly expand the security visibility of organizations. The framework’s growing knowledge base of adversarial tactics and techniques guide security teams in detecting and stopping attacks, especially the newly discovered ones. This combination allows cybersecurity teams to assemble and execute a full kill chain in a continuous, automated, and scalable manner.
BAS vs botnets
The widespread Pink botnet is an example of how botnets can be dangerous and why it helps to implement breach and attack simulation. It is sophisticated and can evade conventional security controls, as evidenced by the millions of devices infected.
Pink mainly enters networks through MIPS-based fiber routers. It attempts to take over the circulation of the communication by utilizing third-party online communication or file transfer platforms such as C2 servers, P2P networks, as well as GitHub. It then tries to encrypt transmission channels to prevent the legitimate management of the infected devices.
The devices’ vendors will of course try to regain the management of the devices. There will be attempts to resolve the device management issue. In the process, the Pink botnet operators get to know what the vendors are doing, and they introduce their own firmware updates on the contaminated devices until they assume control.
Nevertheless, this takeover is not that difficult to address. Reportedly, most of the 1.6 million devices taken over by Pink have already been repaired. Only around 100,000 contaminated nodes remain and are attributed to over 100 DDoS attacks. The problem is mainly the response of the organizations owning the devices or the device vendors that are expected to maintain some degree of management over them.
If organizations implement breach and attack simulation, botnets like Pink are not that difficult to detect and eliminate. Pink is already logged in the MITRE ATT&CK framework, so most BAS platforms are not going to miss the tactics and techniques involved in spreading it. Most other botnet malware operate in fundamentally the same way Pink does. Organizations that are already using BAS can be reassured they are unlikely to be hosting and propagating botnets in their networks.
The threat of botnets
Some may be wondering if botnets are really that dangerous. Is there really an urgency to address them? The description of the Pink botnet above, after all, does not seem to be that sinister and severely damaging. The botnet malware appears to only infect devices and makes them available for certain purposes.
Here are some important details that need to be mentioned emphatically. According to the National Cybersecurity Alliance, if your device is infected with botnet malware, it essentially becomes a tool for cybercriminals. “It communicates and receives instructions about what it’s supposed to do from ‘command and control’ computers located anywhere around the globe. What your computer does depends on what the cybercriminals are trying to accomplish,” the NCA says.
The infected computer, gadget, IoT appliance, or other web-enabled devices can then be used to do the following:
- Launch Distributed Denial-of-Service attacks.
- Harvest data including social security numbers, passwords, secrets, personal details, contacts, credit card numbers, and other sensitive information
- Further malware distribution
These are by no means benign activities. Organizations whose devices have become part of a botnet may not become the DDoS attack target themselves, but they could be running their hardware inefficiently because of the unwanted data transmissions of the infected devices. The botnet activities are likely adding a considerable unnecessary burden on devices.
Worse, the infected computers could be exposing sensitive data or unwittingly enabling access to networks. There may be no file deletions or corruption, key logging, pesky ads, or unwanted encryption (ransomware attack), but the adverse impact could be happening silently and gradually. Organizations may already be leaking vast amounts of critical data before they learn about the botnet malware infection.
Prevention is better than cure
Breach and attack simulation is an effective preventive measure against botnet malware. BAS guides organizations to patch software, remove devices, or tweak and strengthen security controls before their vulnerabilities are exploited by bad actors. It is not itself the cure, but it can act as a good diagnostic tool to help determine if an organization’s devices have already been infected.
The botnet problem is not going away anytime soon. As The Spamhaus Project reported recently, the botnet threat has been increasing quarter after quarter in the past year. It is important to have the right defenses and to treat botnet malware as a serious threat not to be downplayed and ignored.
