Security Experts:

Lots and Lots of Bots: Looking at Botnet Activity in 2021

A botnet today can be used as a foundation for bad actors to carry out other attacks later

Botnets continue to be a major problem for cybersecurity teams. With the growth in sophisticated threats, botnets are becoming more malicious, sometimes able to create hundreds of thousands of drones that can attack a variety of machines, including Mac systems, Linux, Windows systems, edge devices, IoT devices, and so on. 

Examining threat trends around botnet activity is helpful because it provides a glimpse into the malicious activities tied to Command and Control tactics. In the first half of 2021, the percentage of organizations detecting botnet activity jumped from 35% to 51%, according to the latest global threat landscape report from FortiGuard Labs.

That increase was led by a surge in the use of TrickBot, which was taken offline in 2020 but came back on the radar in mid-2021, not as prolific as before. Designed initially as a banking trojan but since evolved into a sophisticated, modular and multi-stage toolkit supporting a range of illicit activities. TrickBot certainly wasn’t the only such botnet being used however, as FortiGuard Labs researchers saw.

Major botnet trends

The surge we’ve seen so far this year is rather peculiar for aggregate botnet activity. Mirai was the most prevalent, overtaking Gh0st in 2020 and continuing to dominate ever since. Mirai became notorious several years ago after fueling massive IoT-based DDoS attacks. Since that time, it’s continued adding new cyberweapons to its arsenal to maintain its dominance. It’s likely that Mirai’s dominance stems at least in part from attackers seeking to exploit IoT devices used by (or proximate to) remote workers. 

Also, during the first half of this year, Gh0st has been noticeably active. The remote access botnet allows malicious actors to take full control of the infected system, access live webcam and microphone feeds, download and upload files, log keystrokes and perform other nefarious activities.

In a very unusual twist, other than Gh0st and Mirai, most of the remaining botnets we saw in 2021 weren’t in the top 10 previously. The usual suspects tend to turn up every time, so it’s surprising to see some newcomers to the group. The prominent bump in prevalence toward the end of the half-year demonstrates those newcomers helped drive overall botnet activity to new heights. Communications with the Trochilus botnet bumped up early in the year, particularly in Oceania and Southeast Asia. 

What’s behind the surge

The traditional perimeter is obviously a relic of the past. The edge – as defined as the kind of barrier between your own network, your LAN and the internet access – has faded away. There are cloud services, mobile services, web services – so there is no edge anymore; everyone’s living on the edge. Organizations are accessing the internet in all sorts of ways, including IoT and other devices, and attackers are leveraging this and finding new ways into your organization. They’re landing and expanding. They’re moving horizontally throughout the network and thinking, “Even if I can only access you through an IoT device, how can I use that to perhaps obtain a more valuable target?” 

We’re seeing a lot of web-borne threats and, unfortunately, many environments still aren’t segmented or secured the way they should be. And attackers are definitely using botnets to take advantage of this. A botnet today can be used as a foundation for bad actors to carry out other attacks later. 

Next steps

With the traditional edge no more, that means the old ways of securing environments no longer fly, of course. And this means that organizations need to look for ways to expand cybersecurity beyond the edge. Addressing the ongoing security challenges related to increasingly distributed networks and the rapidly dissolving network perimeter can seem daunting. 

The first steps to address these challenges, particularly for remote access, include moving to modern endpoint security solutions and embracing a zero-trust model. That means no user or device is trusted until fully verified. Zero trust access (ZTA) focuses on role-based access control to the network. Its partner, zero-trust network access (ZTNA), relates to brokered access for users to applications and allows organizations to extend the zero-trust model beyond the network.

In addition, advanced, automated endpoint protection, detection, and response endpoint security solutions need to provide visibility into devices and their state, strong protection measures, remote monitoring tools and threat remediation for endpoint devices of all kinds.

New security strategies

Botnet attacks continue to rise, with many new varieties entering the field. Old defense strategies won’t work, which highlights the need for new ones, including ZTA and ZTNA. Another needed strategy is more proactive collaboration among organizations and law enforcement, like the kind that helped bring down Emotet. Modern endpoint security solutions will also go a long way toward securing your borderless network.

view counter
Derek Manky is Chief of Security Insights and Global Threat Alliances at Fortinet’s FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.